Hot Chocolate's Utf8GraphQLParser in affected versions has no recursion depth limit, enabling an attacker to craft deeply nested GraphQL queries that trigger a StackOverflowException in .NET, causing immediate termination of the worker process. This denial-of-service occurs before validation rules run, bypassing protections like MaxExecutionDepth and complexity analyzers. The vulnerability affects versions prior to 12.22.7, 13.9.16, 14.3.1, and 15.1.14. The patch adds a MaxAllowedRecursionDepth option to ParserOptions, enforcing recursion limits and replacing the uncatchable StackOverflowException with a catchable SyntaxException. No application-level workaround exists; only upgrading to patched versions mitigates the issue. Limiting HTTP request body size at the proxy can reduce but not eliminate risk.

Exploitation causes a StackOverflowException that immediately terminates the worker process running the GraphQL server, resulting in denial of service. All ongoing HTTP requests, background hosted services, and WebSocket subscriptions on the affected worker are dropped. The orchestrator must restart the process, causing service disruption. There is no impact on confidentiality or data integrity. The vulnerability does not allow code execution or data leakage but causes availability loss.

A fix is available in Hot Chocolate versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 that introduces a recursion depth limit to prevent stack overflow crashes. Operators should upgrade to these patched versions to fully mitigate the vulnerability. There is no application-level workaround because StackOverflowException cannot be caught in .NET. Operators can reduce risk by limiting HTTP request body size at the reverse proxy or load balancer, but this is not sufficient to prevent all crashes due to the small size of triggering payloads. Patch status is not explicitly stated in the vendor advisory, but the presence of fixed versions indicates an official fix is available.