When a server receives a deeply nested query, it attempts to resolve all the requested data. This process can consume a substantial amount of
computational resources, leading to a slowdown in server response times.
What is the potential impact?
A server that faces a resource exhaustion situation can become unstable. The exact impact will depend on how the affected application is deployed
and how well the hosting server configuration is hardened.
In the worst case, when the application is deployed in an uncontained environment, directly on its host system, the memory exhaustion will affect
the whole hosting server. The server’s operating system might start killing arbitrary memory-intensive processes, including the main application or
other sensitive ones. This will result in a general operating failure, also known as a Denial of Service (DoS).
In cases where the application is deployed in a virtualized or otherwise contained environment, or where resource usage limits are in place, the
consequences are limited to the vulnerable application only. In that case, other processes and applications hosted on the same server may keep on
running without perturbation. The vulnerable application will still stop working properly.
In general, that kind of DoS attack can have severe financial consequences. They are particularly important when the affected systems are
business-critical.
