List in input has no maximum number of items defined

Issue ID: graphql-data-input-list-max-items-needed

Average severity: High

Description

A list used in an input position does specify the maximum number of items it can have. GraphQL allows clients to submit arrays of arbitrary size unless explicitly constrained.

For more details, see the GraphQL constraints specification.

Possible exploit scenario

Without a maxItems or equivalent constraint for a list, a client may provide a very large number of elements in a single request. If no maximum constraint is defined, attackers may submit extremely large lists that:

  • Trigger massive batch processing and excessive resolver executions
  • Amplify database queries and overload database connections
  • Cause N+1 query explosions
  • Consume excessive memory
  • Increase CPU load
  • Slow down request parsing and validation and increase response latency
  • Degrade overall service availability and system performance

Sustained abuse can impact availability for legitimate users. Even if the backend eventually rejects the input, repeated large payload submissions can contribute to Denial of Service (DoS and DDoS) conditions. In addition, while modern managed runtimes typically prevent classical buffer overflows, unbounded list inputs remain a common vector for application-level resource exhaustion.

Remediation

Define explicit maximum size constraints for all input list types. We recommend that you:

  • Always define maxItems or equivalent constraint for input lists
  • Keep limits aligned with backend batch-processing capabilities
  • Apply stricter limits for:
    • Mutations
    • Expensive operations
    • Cross-service calls
  • Avoid relying solely on resolver-level checks

Explicit list bounds significantly reduce abuse potential and improve API resilience.