Numeric scalar in output has no minimum defined

Issue ID: graphql-data-output-numeric-scalar-min-needed

Average severity: Medium

Description

A numeric scalar used in an output position has no maximum value specified. While GraphQL ensures the value is numeric (Int or Float), it does not enforce any lower bounds.

For more details, see the GraphQL constraints specification.

Possible exploit scenario

Without an explicit minimum, the API contract does not clearly communicate whether negative or zero values are valid. If no minimum constraint is defined, the API may return:

Negative values that violate business expectations
Underflow artifacts from backend computations
Sentinel values not intended for external exposure
Values that indicate internal error states

This can lead to:

Client-side logic failures
Misinterpretation of business data
Inconsistent behavior across versions
Exposure of internal computation anomalies (for example, returning a negative inventory or totalCount may signal backend inconsistency or data corruption, even if not intended)

Although this issue is generally less exploitable than missing input constraints, clearly defining output bounds strengthens contract integrity and reduces ambiguity for API consumers.

Remediation

Set both minimum and maximum or equivalent constraints for numeric scalars to limit the accepted values to the range that works for your application. We recommend that you:

Define both minimum and maximum bounds whenever possible
Use min: 0 for counters and quantities that should never be negative
Align output constraints with documented business rules
Ensure consistent scalar definitions across subgraphs in federated APIs

Explicit lower bounds improve contract clarity, prevent unintended value exposure, and strengthen API robustness.