90 matches found
CVE-2026-47706 Strawberry GraphQL has a Circular Fragment Reference DOS
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...
EUVD-2026-34269
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...
CVE-2026-47706
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...
CVE-2026-47706
The CVE affects Strawberry GraphQL versions 0.71.0–0.315.6, where the QueryDepthLimiter lacks cycle detection in fragment spreads, causing infinite recursion and an application-level DOS (RecursionError) during validation. The issue is fixed in 0.315.7. Remediation: upgrade to 0.315.7 or later. T...
Strawberry GraphQL 安全漏洞
Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions 0.288.4 to 0.315.3 of Strawberry GraphQL contain security vulnerabilities. These vulnerabilities stem from the GraphiQL template writing values from the header editor into the browser URL query...
PT-2026-46250
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...
Strawberry GraphQL 安全漏洞
Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions 0.172.0 to 0.315.6 of Strawberry GraphQL contain security vulnerabilities. These vulnerabilities stem from the MaxAliasesLimiter extension not taking into account the multiplicative amplification...
Strawberry GraphQL 安全漏洞
Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions 0.71.0 to 0.315.6 of Strawberry GraphQL contain security vulnerabilities. These vulnerabilities stem from the QueryDepthLimiter extension’s lack of loop detection in fragment extensions, which cou...
PT-2026-46249
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine depth...
Malicious code in strawberry-graphql (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on...
MAL-2026-4771 Malicious code in strawberry-graphql (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on...
CVE-2026-47707
creationtimestamp| type| source ---|---|--- 2026-05-19 17:02:32+00:00| published-proof-of-concept| https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc 2026-06-04 15:20:57+00:00| seen| https://gist.github.com/alon710/010787d34dde83f4031b6f6c155ccffb...
Insertion of Sensitive Information Into Sent Data
Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the graphiql template. An attacker can obtain sensitive HTTP header values by enticing a user to enter confidential...
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs
Summary Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer , the value could become visible in browser history, copied links, and server/proxy/CDN access logs...
PT-2026-41972
Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions 0.288.4 through 0.315.3 Description The bundled GraphiQL template in Strawberry GraphQL writes values from the headers editor into the browser URL query string. This occurs because the strawberry/static/graphiql.htm...
FreeBSD : py-strawberry-graphql -- Multiple vulnerabilities (6a0aa20d-399f-11f1-8626-901b0edee044)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 6a0aa20d-399f-11f1-8626-901b0edee044 advisory. The Strawberry GraphQL project reports: Strawberry up until version 0.312.3 is vulnerable to a...
CVE-2026-35523
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
CVE-2026-35526
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...
CVE-2026-35523
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...
PYSEC-2026-133
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...