Address review findings

- Add PHPDoc description for recursionLimit option
- Extract DEFAULT_RECURSION_LIMIT constant
- Narrow type to int<0, max> to reject negative values statically
- Add boundary tests for parseValueLiteral and parseTypeReference
- Add CHANGELOG entry for GHSA-r7cg-qjjm-xhqq
- Document parser recursion limit in docs/security.md

🤖 Generated with Claude Code

Author: spawnia

CHANGELOG.md

@@ -9,6 +9,10 @@ You can find and compare releases at the [GitHub release page](https://github.co
 
 ## Unreleased
 
+### Fixed
+
+- Denial of Service via stack overflow from deeply nested queries in the parser https://github.com/webonyx/graphql-php/security/advisories/GHSA-r7cg-qjjm-xhqq
+
 ## v15.32.2
 
 ### Fixed

docs/class-reference.md

@@ -1158,7 +1158,7 @@ Parses string containing GraphQL query language or [schema definition language](
   allowLegacySDLEmptyFields?: bool,
   allowLegacySDLImplementsInterfaces?: bool,
   experimentalFragmentVariables?: bool,
-  recursionLimit?: int
+  recursionLimit?: int<0, max>
 }
 ```
 
@@ -1189,6 +1189,11 @@ Parses string containing GraphQL query language or [schema definition language](
 
   Note: this feature is experimental and may change or be removed in the future.
 
+- **recursionLimit**:
+  Limits the depth of recursion during parsing to prevent stack overflows from deeply nested queries.
+  The counter is shared across `parseSelectionSet`, `parseValueLiteral`, and `parseTypeReference`.
+  Defaults to 256. Set to 0 to disable the limit.
+
 Those magic functions allow partial parsing:
 
 @method static NameNode name(Source|string $source, ParserOptions $options = [])

docs/security.md

@@ -11,6 +11,29 @@ At a basic level, it is recommended to limit the resources a single HTTP request
 
 In addition, graphql-php offers security mechanisms that are specific to GraphQL.
 
+## Parser Recursion Limit
+
+The parser uses recursive descent to handle nested structures such as selection sets, list values, and list types.
+Without a depth limit, a deeply nested query can cause a PHP stack overflow (SIGSEGV) that cannot be caught.
+
+By default, the parser limits recursion depth to **256**.
+This is well above realistic queries (typically 10–20 levels deep) and far below the threshold that would crash PHP.
+
+You can customize the limit through the `recursionLimit` parser option:
+
+```php
+use GraphQL\Language\Parser;
+
+// Custom limit
+$ast = Parser::parse($source, ['recursionLimit' => 128]);
+
+// Disable the limit (not recommended for untrusted input)
+$ast = Parser::parse($source, ['recursionLimit' => 0]);
+```
+
+The limit is shared across all recursive entry points (`parseSelectionSet`, `parseValueLiteral`, `parseTypeReference`).
+When exceeded, the parser throws a `SyntaxError` before the PHP stack overflows.
+
 ## Query Complexity Analysis
 
 This is a port of [Query Complexity Analysis in Sangria](https://sangria-graphql.github.io/learn#query-complexity-analysis).

src/Language/Parser.php

@@ -66,7 +66,7 @@
  *   allowLegacySDLEmptyFields?: bool,
  *   allowLegacySDLImplementsInterfaces?: bool,
  *   experimentalFragmentVariables?: bool,
- *   recursionLimit?: int
+ *   recursionLimit?: int<0, max>
  * }
  *
  * - **noLocation**:
@@ -96,6 +96,11 @@
  *
  *   Note: this feature is experimental and may change or be removed in the future.
  *
+ * - **recursionLimit**:
+ *   Limits the depth of recursion during parsing to prevent stack overflows from deeply nested queries.
+ *   The counter is shared across `parseSelectionSet`, `parseValueLiteral`, and `parseTypeReference`.
+ *   Defaults to 256. Set to 0 to disable the limit.
+ *
  * Those magic functions allow partial parsing:
  *
  * @method static NameNode name(Source|string $source, ParserOptions $options = [])
@@ -168,6 +173,9 @@
  */
 class Parser
 {
+    /** @api */
+    public const DEFAULT_RECURSION_LIMIT = 256;
+
     /**
      * Given a GraphQL source, parses it into a `GraphQL\Language\AST\DocumentNode`.
      *
@@ -333,7 +341,7 @@ public function __construct($source, array $options = [])
             ? $source
             : new Source($source);
         $this->lexer = new Lexer($sourceObj, $options);
-        $this->recursionLimit = $options['recursionLimit'] ?? 256;
+        $this->recursionLimit = $options['recursionLimit'] ?? self::DEFAULT_RECURSION_LIMIT;
     }
 
     /**

tests/Language/ParserTest.php

@@ -782,6 +782,24 @@ public function testQueryAtExactLimitPasses(): void
         $this->expectNotToPerformAssertions();
     }
 
+    public function testValueLiteralAtExactLimitPasses(): void
+    {
+        $depth = 5;
+        $query = '{ field(arg: ' . str_repeat('[', $depth) . '1' . str_repeat(']', $depth) . ') }';
+
+        Parser::parse($query, ['recursionLimit' => $depth + 2]);
+        $this->expectNotToPerformAssertions();
+    }
+
+    public function testTypeReferenceAtExactLimitPasses(): void
+    {
+        $depth = 5;
+        $query = 'query ($var: ' . str_repeat('[', $depth) . 'Int' . str_repeat(']', $depth) . ') { field }';
+
+        Parser::parse($query, ['recursionLimit' => $depth + 2]);
+        $this->expectNotToPerformAssertions();
+    }
+
     public function testSiblingBranchesDontAccumulate(): void
     {
         $limit = 5;