Inventory Disruption via Quantity Manipulation in Order Creation

Writeup — Business Logic Vulnerability

Summary

A grocery-delivery platform's GraphQL API accepted an arbitrary client-supplied itemCount during order creation with no server-side bounds checking. By intercepting the createOrder request and changing a normal quantity to an impossible value (e.g. 999,999,999), an authenticated low-privilege user could create a "legitimate" order far exceeding any realistic inventory, delivery, or business limit.

The order was accepted, confirmed, and the targeted product was reserved/marked unavailable — turning a single request into an inventory and fulfillment disruption affecting real customers.