Numeric scalar in input has no minimum defined

Possible exploit scenario

Without an explicit minimum, clients may submit negative or otherwise unexpected values that violate business logic assumptions. Attackers could submit values such as:

• Negative quantities
• Zero where strictly positive values are expected
• Extremely small floating-point values
• Boundary values that trigger underflow conditions

These could lead to:

• Bypassing business logic checks (for example, negative quantities to reduce totals)
• Reducing counters or balances unexpectedly
• Arithmetic underflow or other errors
• Unexpected branching behavior
• Database constraint violations
• Silent corruption of application state

If no minimum constraint exists, the backend may rely solely on resolver logic to detect invalid values. Inconsistent or missing validation increases the risk of exploitable conditions.

Even when errors are thrown, inconsistent handling or too verbose error messages may expose stack traces, internal state, or other implementation and system details, opening the door to further attacks. For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the exact software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.