tl;dr: We need to be careful when we’re parsing GraphQL queries. The first thing that comes to mind is the following question: What happens if I’m not able to parse a query? If you pick a random GraphQL framework and run it with default settings in production, disaster is waiting to happen. You’ll get an exception like this one from Apollo Client:

I’ve seen this error message several times already and it’s always scary for me because of its implications. It means that your server was exposed publicly without any protection against malicious attackers who could have done anything they wanted on your server
https://t.co/TOetaopvFL