Output has no cost weight defined

Issue ID: graphql-cost-output-weight-needed

Average severity: Medium

Description

A @cost or equivalent directive has no weight argument defined. This could be because the weight argument is missing, it is empty, or it is not a valid numeric value encoded as a string argument.

Because the sole purpose of a cost directive is to define the weight used in cost analysis, each cost directive must define a weight argument.

For more details, see the IBM cost directive specification, or documentation for the equivalent implementation for your framework.

Possible exploit scenario

If the weight value is absent or malformed, the cost engine typically ignores the annotation or falls back to a default of zero, causing systematic underestimation of execution cost. Attackers could compose queries that heavily select those fields — through the use of aliases, fragments, or deeply nested selections — and then repeatedly trigger the expensive resolvers at a computed cost that is far below the actual execution cost. Cost-based thresholds and rate limits fail to catch these requests, enabling sustained server load.

Remediation

Require valid numeric weight values encoded as a string encoded as a string argument ("12.5" instead of 12.5) wherever a cost directive is used on output fields, types, or scalars. Validate the directive when loading the schema and reject schemas that have a cost directive without a parseable weight.