Output is missing '@cost' directive or equivalent
Issue ID: graphql-cost-output-directive-needed
Average severity: Medium
Description
The schema used in an output position (field definitions, object types, or scalars) does not define a @cost directive or an equivalent cost annotation used by your framework.
The purpose of the cost directive is to assign a numeric weight for GraphQL types, fields, and arguments. This enables calculating the overall cost of executing a particular GraphQL transaction before it runs, and it allows tools and middleware to enforce threat protection and rate limiting consistently.
Some GraphQL frameworks implement cost analysis through schema directives other than @cost (for example, @complexity, @rateLimit). Despite the different directive names, the principle applies equally: any input construct that materially affects execution cost should carry the appropriate cost annotation for your framework.
For more details, see the IBM cost directive specification, or documentation for the equivalent implementation for your framework.
Possible exploit scenario
Without cost metadata on schema elements, expensive resolvers — such as aggregations, remote service calls, or database joins — appear identical in cost to trivial field lookups, making cost-based controls ineffective.
This means that your cost analysis will systematically underestimate worst-case execution cost. Attackers could craft queries that repeatedly invoke expensive resolvers by exploiting aliases or fragments, selecting the same costly field many times within a single request. Because those fields carry no cost weight, the calculated query cost remains low regardless of how many times they are selected, allowing abusive workloads to pass cost-based thresholds and degrade performance or availability.
Remediation
Annotate expensive output fields (and where appropriate, types or scalars) with @cost(weight: "...") or an equivalent constraint in your framework to reflect their relative execution cost.