Numeric scalar in output has no maximum defined
Issue ID: graphql-data-output-numeric-scalar-max-needed
Average severity: Medium
Description
A numeric scalar used in an output position has no maximum value specified. While GraphQL ensures the value is numeric (Int or Float), it does not enforce any business or operational bounds.
For more details, see the GraphQL constraints specification.
Possible exploit scenario
Without an explicit maximum, the API contract does not clearly communicate the expected value range to consumers. If no maximum constraint is defined, the API may expose:
- Unexpectedly large values due to logic flaws
- Internal system capacity indicators
- Overflows from downstream systems
- Unbounded or unstable values caused by implementation changes
This can result in:
- Information disclosure about system scale or state (for example, returning an unbounded
totalCountmay unintentionally reveal business-sensitive metrics or operational scale) - Contract instability across versions
- Downstream client failures due to unanticipated large values
- Cascading performance issues in consumers
Although this issue is less directly exploitable than unbounded input values, clearly defining output ranges improves contract clarity, governance, and robustness.
Remediation
Set both minimum and maximum or equivalent constraints for numeric scalars to limit the accepted values to the range that works for your application. We recommend that you:
- Define both minimum and maximum bounds where possible
- Avoid exposing raw internal counters without range guarantees
- Align output constraints with documented API behavior
- Maintain consistency across services and federated subgraphs
Explicit numeric bounds strengthen API contract stability and reduce unintended information exposure.