PYSEC-2026-2284
Vulnerability from pysec - Published: 2026-06-04 15:16 - Updated: 2026-07-13 05:51
VLAI
Details
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.
Severity
5.3 (Medium)
Impacted products
| Name | purl | strawberry-graphql | pkg:pypi/strawberry-graphql |
|---|
Aliases
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "strawberry-graphql",
"purl": "pkg:pypi/strawberry-graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0.172.0"
},
{
"fixed": "0.315.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.172.0",
"0.173.0",
"0.173.1",
"0.174.0",
"0.175.0",
"0.175.1",
"0.176.0",
"0.176.1",
"0.176.2",
"0.176.3",
"0.176.4",
"0.177.0",
"0.177.1",
"0.177.2",
"0.177.3",
"0.178.0",
"0.178.1",
"0.178.2",
"0.178.3",
"0.179.0",
"0.180.0",
"0.180.1",
"0.180.2",
"0.180.3",
"0.180.4",
"0.180.5",
"0.181.0",
"0.182.0",
"0.182.0.dev1686062831",
"0.183.0",
"0.183.1",
"0.183.1.dev1686081894",
"0.183.2",
"0.183.3",
"0.183.4",
"0.183.5",
"0.183.6",
"0.183.7",
"0.183.8",
"0.184.0",
"0.184.1",
"0.185.0",
"0.185.1",
"0.185.2",
"0.185.2.dev1686819062",
"0.186.0",
"0.186.1",
"0.186.2",
"0.186.3",
"0.187.0",
"0.187.1",
"0.187.2",
"0.187.3",
"0.187.4",
"0.187.5",
"0.188.0",
"0.189.0",
"0.189.1",
"0.189.1.dev1687473609",
"0.189.2",
"0.189.3",
"0.190.0",
"0.190.0.dev1687447182",
"0.192.0",
"0.192.1",
"0.192.2",
"0.193.0",
"0.193.1",
"0.194.0",
"0.194.1",
"0.194.2",
"0.194.3",
"0.194.4",
"0.195.0",
"0.195.1",
"0.195.2",
"0.195.3",
"0.196.0",
"0.196.0.dev1689676980",
"0.196.0.dev1689676990",
"0.196.0.dev1690222024",
"0.196.1",
"0.196.2",
"0.197.0",
"0.197.0.dev1690539957",
"0.198.0",
"0.199.0",
"0.199.1",
"0.199.2",
"0.199.3",
"0.200.0",
"0.201.0",
"0.201.1",
"0.202.0",
"0.202.1",
"0.203.0",
"0.203.1",
"0.203.1.dev1691831108",
"0.203.2",
"0.203.3",
"0.204.0",
"0.205.0",
"0.206.0",
"0.207.0",
"0.207.1",
"0.208.0",
"0.208.1",
"0.208.2",
"0.208.3",
"0.209.0",
"0.209.1",
"0.209.2",
"0.209.3",
"0.209.3.dev1696259772",
"0.209.4",
"0.209.5",
"0.209.6",
"0.209.7",
"0.209.8",
"0.209.8.dev1697789637",
"0.210.0",
"0.210.0.dev1697796691",
"0.211.0",
"0.211.1",
"0.211.2",
"0.212.0",
"0.212.0.dev1698770659",
"0.212.0.dev1698790124",
"0.212.0.dev1699050277",
"0.212.0.dev1699288765",
"0.212.0.dev1699291750",
"0.213.0",
"0.213.0.dev1699372734",
"0.213.0.dev1699435418",
"0.213.0.dev1699437859",
"0.214.0",
"0.214.0.dev1699441271",
"0.214.0.dev1701082152",
"0.214.0.dev1701368154",
"0.215.0",
"0.215.1",
"0.215.2",
"0.215.2.dev1701810830",
"0.215.3",
"0.216.0",
"0.216.1",
"0.217.0",
"0.217.1",
"0.218.0",
"0.218.0.dev1705418681",
"0.218.1",
"0.219.0",
"0.219.1",
"0.219.2",
"0.220.0",
"0.220.0.dev1709543239",
"0.221.0",
"0.221.0.dev1710955937",
"0.221.1",
"0.222.0",
"0.223.0",
"0.224.0",
"0.224.0.dev1711748192",
"0.224.1",
"0.224.2",
"0.225.0",
"0.225.1",
"0.226.0",
"0.226.1",
"0.226.2",
"0.227.0",
"0.227.0.dev1713463204",
"0.227.0.dev1713475585",
"0.227.1",
"0.227.2",
"0.227.3",
"0.227.4",
"0.227.5",
"0.227.6",
"0.227.7",
"0.228.0",
"0.228.0.dev1713643365",
"0.229.0",
"0.229.1",
"0.229.2",
"0.229.2.dev1715873118",
"0.229.2.dev1715881453",
"0.230.0",
"0.230.0.dev1716318708",
"0.231.0",
"0.231.1",
"0.232.0",
"0.232.1",
"0.232.2",
"0.233.0",
"0.233.1",
"0.233.2",
"0.233.3",
"0.234.0",
"0.234.1",
"0.234.2",
"0.234.3",
"0.235.0",
"0.235.1",
"0.235.1.dev1719337273",
"0.235.2",
"0.236.0",
"0.236.1",
"0.236.2",
"0.237.0",
"0.237.1",
"0.237.2",
"0.237.3",
"0.238.0",
"0.238.1",
"0.239.0",
"0.239.1",
"0.239.2",
"0.240.0",
"0.240.1",
"0.240.2",
"0.240.3",
"0.240.3.dev1726159932",
"0.240.4",
"0.241.0",
"0.242.0",
"0.243.0",
"0.243.1",
"0.244.0",
"0.244.1",
"0.245.0",
"0.246.0",
"0.246.1",
"0.246.2",
"0.246.3",
"0.247.0",
"0.247.1",
"0.247.2",
"0.248.0",
"0.248.1",
"0.249.0",
"0.250.0",
"0.250.1",
"0.251.0",
"0.252.0",
"0.253.0",
"0.253.1",
"0.254.0",
"0.254.1",
"0.255.0",
"0.256.0",
"0.256.1",
"0.257.0",
"0.257.0.dev1735244504",
"0.258.0",
"0.258.1",
"0.259.0",
"0.259.1",
"0.260.0",
"0.260.1",
"0.260.2",
"0.260.3",
"0.260.4",
"0.261.0",
"0.261.1",
"0.262.0",
"0.262.1",
"0.262.2",
"0.262.3",
"0.262.4",
"0.262.5",
"0.262.6",
"0.262.7.dev1743345593",
"0.263.0",
"0.263.0.dev1743450281",
"0.263.0.dev1743450503",
"0.263.0.dev1743450741",
"0.263.0.dev1743582446",
"0.263.1",
"0.263.2",
"0.264.0",
"0.264.1",
"0.265.0",
"0.265.1",
"0.266.0",
"0.266.0.dev1744797470",
"0.266.1",
"0.267.0",
"0.267.0.dev1746643548",
"0.268.0",
"0.268.1",
"0.268.2",
"0.268.2.dev1747436835",
"0.269.0",
"0.269.0.dev1746905409",
"0.269.0.dev1747164009",
"0.270.0",
"0.270.1",
"0.270.2",
"0.270.3",
"0.270.4",
"0.270.5",
"0.270.6",
"0.271.0",
"0.271.1",
"0.271.2",
"0.272.0",
"0.272.1",
"0.273.0",
"0.273.1",
"0.273.2",
"0.273.3",
"0.274.0",
"0.274.1",
"0.274.2",
"0.274.3",
"0.275.0",
"0.275.1",
"0.275.2",
"0.275.3",
"0.275.4",
"0.275.5",
"0.275.6",
"0.275.7",
"0.276.0",
"0.276.0.dev1750672223",
"0.276.0.dev1752831589",
"0.276.1",
"0.276.2",
"0.277.0",
"0.277.1",
"0.278.0",
"0.278.1",
"0.279.0",
"0.279.0.dev1754138688",
"0.279.0.dev1754156227",
"0.279.0.dev1754159379",
"0.280.0",
"0.281.0",
"0.282.0",
"0.283.0",
"0.283.1",
"0.283.2",
"0.283.3",
"0.284.0",
"0.284.1",
"0.284.2",
"0.284.3",
"0.284.4",
"0.285.0",
"0.285.0.dev1762469343",
"0.286.0",
"0.286.1",
"0.287.0",
"0.287.1",
"0.287.2",
"0.287.3",
"0.287.4",
"0.288.0",
"0.288.1",
"0.288.2",
"0.288.3",
"0.288.4",
"0.289.0",
"0.289.1",
"0.289.2",
"0.289.3",
"0.289.4",
"0.289.5",
"0.289.6",
"0.289.7",
"0.289.8",
"0.290.0",
"0.291.0",
"0.291.1",
"0.291.2",
"0.291.2.dev1770456508",
"0.291.2.dev1771437961",
"0.291.3",
"0.292.0",
"0.293.0",
"0.294.0",
"0.295.0",
"0.296.0",
"0.296.1",
"0.296.2",
"0.297.0",
"0.298.0",
"0.298.1",
"0.299.0",
"0.300.0",
"0.301.0",
"0.302.0",
"0.303.0",
"0.303.1",
"0.304.0",
"0.305.0",
"0.306.0",
"0.307.0",
"0.307.1",
"0.308.0",
"0.308.1",
"0.308.2",
"0.308.3",
"0.309.0",
"0.310.0",
"0.310.1",
"0.310.2",
"0.311.0",
"0.311.1",
"0.311.2",
"0.311.3",
"0.312.0",
"0.312.1",
"0.312.2",
"0.312.3",
"0.312.4",
"0.313.0",
"0.314.0",
"0.314.1",
"0.314.2",
"0.314.3",
"0.315.0",
"0.315.1",
"0.315.2",
"0.315.3",
"0.315.4",
"0.315.5",
"0.315.6"
]
}
],
"aliases": [
"CVE-2026-47707",
"GHSA-fr49-mhgj-crfc"
],
"details": "Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.",
"id": "PYSEC-2026-2284",
"modified": "2026-07-13T05:51:37.880089Z",
"published": "2026-06-04T15:16:55.283Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7"
},
{
"type": "EVIDENCE",
"url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…