Lucene search
+L

16 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.15 views

CVE-2026-47706

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS5.4AI score0.00296EPSS
Exploits1References1
Snyk
Snyk
added 2026/06/04 4:22 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the MaxAliasesLimiter extension. An attacker can exhaust server resources by crafting GraphQL queries that exploit...

6.9CVSS5.5AI score0.00417EPSS
Exploits1References2
OSV
OSV
added 2026/06/04 2:39 p.m.8 views

GHSA-FR49-MHGJ-CRFC Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification

Summary The MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this...

5.3CVSS6AI score0.00417EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/06/04 2:12 p.m.10 views

CVE-2026-47707 Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...

5.3CVSS5.8AI score0.00417EPSS
Exploits1References2
CVE
CVE
added 2026/06/04 2:12 p.m.33 views

CVE-2026-47707

Technical details about CVE-2026-47707 are not publicly available in the provided documents; monitor vendor advisories and official releases for updates.

5.3CVSS5.8AI score0.00417EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/06/04 2:12 p.m.13 views

EUVD-2026-34271

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...

5.3CVSS5.8AI score0.00417EPSS
Exploits1References2
OSV
OSV
added 2026/06/04 2:12 p.m.4 views

CVE-2026-47707 Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...

5.3CVSS6AI score0.00417EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/06/04 2:6 p.m.39 views

CVE-2026-47706 Strawberry GraphQL has a Circular Fragment Reference DOS

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth...

5.3CVSS0.00296EPSS
Exploits1References2
OSV
OSV
added 2026/04/06 2:49 p.m.6 views

BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...

8.2CVSS5.7AI score0.00463EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/03/31 3:6 p.m.25 views

CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

8.2CVSS0.00463EPSS
Exploits0References5
CVE
CVE
added 2026/03/31 3:6 p.m.28 views

CVE-2026-34573

Parse Server exposes a denial-of-service when the GraphQL query complexity validator is enabled (requestComplexity.graphQLDepth or requestComplexity.graphQLFields). In versions prior to 8.6.68 and 9.7.0-alpha.12, a crafted query using binary fan-out fragment spreads can block the Node.js event lo...

8.2CVSS5.7AI score0.00463EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2022/05/04 11:15 p.m.20 views

CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

7.5CVSS0.01501EPSS
Exploits1References3
CVE
CVE
added 2022/05/04 10:31 p.m.515 views

CVE-2022-30288

CVE-2022-30288 affects Agoo (Ruby HTTP server). The vulnerability arises in versions before 2.14.3 where GraphQL fragment spreads that form cycles are not rejected, potentially causing an application crash. Multiple validated sources (NVD, Red Hat, OSV, CVE lists, PT Security, CNNVD) confirm the ...

7.5CVSS7.5AI score0.01501EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2022/05/04 10:31 p.m.14 views

CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

7.3AI score0.01501EPSS
Exploits1References3
OSV
OSV
added 2022/05/04 10:31 p.m.10 views

CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

7.5CVSS6.9AI score0.01501EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2022/05/04 12:0 a.m.8 views

PT-2022-20047 · Agoo · Agoo

Name of the Vulnerable Software and Affected Versions: Agoo versions prior to 2.14.3 Description: The issue arises when Agoo does not reject GraphQL fragment spreads that form cycles, which can lead to an application crash. It has been disputed by the vendor, who claims it is not the server's...

7.5CVSS7.4AI score0.01501EPSS
Exploits1References10
Rows per page
Query Builder