16 matches found
CVE-2026-47706
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...
Allocation of Resources Without Limits or Throttling
Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the MaxAliasesLimiter extension. An attacker can exhaust server resources by crafting GraphQL queries that exploit...
GHSA-FR49-MHGJ-CRFC Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Summary The MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this...
CVE-2026-47707 Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...
CVE-2026-47707
Technical details about CVE-2026-47707 are not publicly available in the provided documents; monitor vendor advisories and official releases for updates.
EUVD-2026-34271
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...
CVE-2026-47707 Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...
CVE-2026-47706 Strawberry GraphQL has a Circular Fragment Reference DOS
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...
BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...
CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...
CVE-2026-34573
Parse Server exposes a denial-of-service when the GraphQL query complexity validator is enabled (requestComplexity.graphQLDepth or requestComplexity.graphQLFields). In versions prior to 8.6.68 and 9.7.0-alpha.12, a crafted query using binary fan-out fragment spreads can block the Node.js event lo...
CVE-2022-30288
Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...
CVE-2022-30288
CVE-2022-30288 affects Agoo (Ruby HTTP server). The vulnerability arises in versions before 2.14.3 where GraphQL fragment spreads that form cycles are not rejected, potentially causing an application crash. Multiple validated sources (NVD, Red Hat, OSV, CVE lists, PT Security, CNNVD) confirm the ...
CVE-2022-30288
Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...
CVE-2022-30288
Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...
PT-2022-20047 · Agoo · Agoo
Name of the Vulnerable Software and Affected Versions: Agoo versions prior to 2.14.3 Description: The issue arises when Agoo does not reject GraphQL fragment spreads that form cycles, which can lead to an application crash. It has been disputed by the vendor, who claims it is not the server's...