zaproxy · thc202 · Feb 3, 2026 · Feb 3, 2026
diff --git a/site/content/docs/alerts/50007-1.md b/site/content/docs/alerts/50007-1.md
@@ -3,7 +3,7 @@ title: "GraphQL Endpoint Supports Introspection"
 alertid: 50007-1
 alertindex: 5000701
 alerttype: "Tool"
-alertcount: 2
+alertcount: 3
 status: alpha
 type: alert
 risk: Informational

diff --git a/site/content/docs/alerts/50007-2.md b/site/content/docs/alerts/50007-2.md
@@ -3,7 +3,7 @@ title: "GraphQL Server Implementation Identified"
 alertid: 50007-2
 alertindex: 5000702
 alerttype: "Tool"
-alertcount: 2
+alertcount: 3
 status: alpha
 type: alert
 risk: Informational

diff --git a/site/content/docs/alerts/50007-3.md b/site/content/docs/alerts/50007-3.md
@@ -0,0 +1,25 @@
+---
+title: "GraphQL Circular Type Reference"
+alertid: 50007-3
+alertindex: 5000703
+alerttype: "Tool"
+alertcount: 3
+status: alpha
+type: alert
+risk: Informational
+solution: "Consider restructuring the schema to avoid circular references. Use IDs or foreign keys instead of direct object references. Enforce query depth limits and use pagination to control deep nested queries."
+references:
+   - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#dos-prevention
+other: "Query -> (Organization -> Repository -> PullRequest -> Commit -> Organization)"
+cwe: 16
+wasc: 15
+alerttags: 
+  - CWE-16
+  - OWASP_2021_A04
+  - OWASP_2023_API4
+  - WSTG-v42-APIT-01
+code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/graphql/src/main/java/org/zaproxy/addon/graphql/ExtensionGraphQl.java
+linktext: "org/zaproxy/addon/graphql/ExtensionGraphQl.java"
+help: https://www.zaproxy.org/docs/desktop/addons/graphql-support/alerts/#id-50007
+---
+A circular reference was detected in the GraphQL schema, where object types reference each other in a cycle. This can be exploited by attackers to craft deeply recursive queries, potentially leading to Denial of Service (DoS) conditions.
diff --git a/site/content/docs/alerts/50007.md b/site/content/docs/alerts/50007.md
@@ -12,6 +12,9 @@ alerts:
    50007-2:
       alertid: 50007-2
       name: "GraphQL Server Implementation Identified"
+   50007-3:
+      alertid: 50007-3
+      name: "GraphQL Circular Type Reference"
 code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/graphql/src/main/java/org/zaproxy/addon/graphql/ExtensionGraphQl.java
 linktext: "org/zaproxy/addon/graphql/ExtensionGraphQl.java"
 ---
diff --git a/site/data/alerttags.yml b/site/data/alerttags.yml
@@ -319,6 +319,9 @@ OWASP_2021_A08:
 OWASP_2021_A10:
   link: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
 
+OWASP_2023_API4:
+  link: https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/
+
 PCI_DSS:
   link: https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#compliance
 
@@ -355,6 +358,9 @@ SYSTEMIC:
 TEST_TIMING:
   link: 
 
+WSTG-v42-APIT-01:
+  link: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL
+
 WSTG-v42-ATHN-01:
   link: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel