Vulnerability Details
Severity:
Medium
Category:
API
Description
The GraphQL API has introspection enabled in production, allowing anyone to query the complete API schema including all types, fields, queries, mutations, and their relationships.
Risks
An attacker can map the entire API surface, discover hidden endpoints, identify sensitive data fields, and understand the data model to craft targeted attacks more efficiently.
Remediation
Disable introspection in production environments. Implement field-level authorization. Use query depth limiting and complexity analysis. Monitor for introspection queries and excessive query patterns.