This permits clients to send multiple queries in a single request, with 10 or more queries executed simultaneously. While query batching can improve performance and reduce the number of HTTP requests, it also introduces potential risks. Allowing a high number of simultaneous queries can increase the load on the server, make it more vulnerable to denial-of-service (DoS) attacks, and potentially allow an attacker to exploit this feature for resource exhaustion or data leakage. It also complicates rate-limiting and access control, making it harder to ensure that users only execute permissible queries.
An attacker sends a batch request containing 100 GraphQL queries in a single HTTP request. Since the server does not limit the number of queries, the batch request overwhelms the server, leading to high CPU usage, memory exhaustion, and potentially causing a denial of service. The attacker may also exploit this by sending queries that access sensitive data in different parts of the system, increasing the risk of unauthorized data access or leakage.
