PYSEC-2026-2284

Vulnerability from pysec - Published: 2026-06-04 15:16 - Updated: 2026-07-13 05:51
VLAI
Details

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.

Impacted products
Name purl
strawberry-graphql pkg:pypi/strawberry-graphql

{
  "affected": [
    {
      "ecosystem_specific": {},
      "package": {
        "ecosystem": "PyPI",
        "name": "strawberry-graphql",
        "purl": "pkg:pypi/strawberry-graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.172.0"
            },
            {
              "fixed": "0.315.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.172.0",
        "0.173.0",
        "0.173.1",
        "0.174.0",
        "0.175.0",
        "0.175.1",
        "0.176.0",
        "0.176.1",
        "0.176.2",
        "0.176.3",
        "0.176.4",
        "0.177.0",
        "0.177.1",
        "0.177.2",
        "0.177.3",
        "0.178.0",
        "0.178.1",
        "0.178.2",
        "0.178.3",
        "0.179.0",
        "0.180.0",
        "0.180.1",
        "0.180.2",
        "0.180.3",
        "0.180.4",
        "0.180.5",
        "0.181.0",
        "0.182.0",
        "0.182.0.dev1686062831",
        "0.183.0",
        "0.183.1",
        "0.183.1.dev1686081894",
        "0.183.2",
        "0.183.3",
        "0.183.4",
        "0.183.5",
        "0.183.6",
        "0.183.7",
        "0.183.8",
        "0.184.0",
        "0.184.1",
        "0.185.0",
        "0.185.1",
        "0.185.2",
        "0.185.2.dev1686819062",
        "0.186.0",
        "0.186.1",
        "0.186.2",
        "0.186.3",
        "0.187.0",
        "0.187.1",
        "0.187.2",
        "0.187.3",
        "0.187.4",
        "0.187.5",
        "0.188.0",
        "0.189.0",
        "0.189.1",
        "0.189.1.dev1687473609",
        "0.189.2",
        "0.189.3",
        "0.190.0",
        "0.190.0.dev1687447182",
        "0.192.0",
        "0.192.1",
        "0.192.2",
        "0.193.0",
        "0.193.1",
        "0.194.0",
        "0.194.1",
        "0.194.2",
        "0.194.3",
        "0.194.4",
        "0.195.0",
        "0.195.1",
        "0.195.2",
        "0.195.3",
        "0.196.0",
        "0.196.0.dev1689676980",
        "0.196.0.dev1689676990",
        "0.196.0.dev1690222024",
        "0.196.1",
        "0.196.2",
        "0.197.0",
        "0.197.0.dev1690539957",
        "0.198.0",
        "0.199.0",
        "0.199.1",
        "0.199.2",
        "0.199.3",
        "0.200.0",
        "0.201.0",
        "0.201.1",
        "0.202.0",
        "0.202.1",
        "0.203.0",
        "0.203.1",
        "0.203.1.dev1691831108",
        "0.203.2",
        "0.203.3",
        "0.204.0",
        "0.205.0",
        "0.206.0",
        "0.207.0",
        "0.207.1",
        "0.208.0",
        "0.208.1",
        "0.208.2",
        "0.208.3",
        "0.209.0",
        "0.209.1",
        "0.209.2",
        "0.209.3",
        "0.209.3.dev1696259772",
        "0.209.4",
        "0.209.5",
        "0.209.6",
        "0.209.7",
        "0.209.8",
        "0.209.8.dev1697789637",
        "0.210.0",
        "0.210.0.dev1697796691",
        "0.211.0",
        "0.211.1",
        "0.211.2",
        "0.212.0",
        "0.212.0.dev1698770659",
        "0.212.0.dev1698790124",
        "0.212.0.dev1699050277",
        "0.212.0.dev1699288765",
        "0.212.0.dev1699291750",
        "0.213.0",
        "0.213.0.dev1699372734",
        "0.213.0.dev1699435418",
        "0.213.0.dev1699437859",
        "0.214.0",
        "0.214.0.dev1699441271",
        "0.214.0.dev1701082152",
        "0.214.0.dev1701368154",
        "0.215.0",
        "0.215.1",
        "0.215.2",
        "0.215.2.dev1701810830",
        "0.215.3",
        "0.216.0",
        "0.216.1",
        "0.217.0",
        "0.217.1",
        "0.218.0",
        "0.218.0.dev1705418681",
        "0.218.1",
        "0.219.0",
        "0.219.1",
        "0.219.2",
        "0.220.0",
        "0.220.0.dev1709543239",
        "0.221.0",
        "0.221.0.dev1710955937",
        "0.221.1",
        "0.222.0",
        "0.223.0",
        "0.224.0",
        "0.224.0.dev1711748192",
        "0.224.1",
        "0.224.2",
        "0.225.0",
        "0.225.1",
        "0.226.0",
        "0.226.1",
        "0.226.2",
        "0.227.0",
        "0.227.0.dev1713463204",
        "0.227.0.dev1713475585",
        "0.227.1",
        "0.227.2",
        "0.227.3",
        "0.227.4",
        "0.227.5",
        "0.227.6",
        "0.227.7",
        "0.228.0",
        "0.228.0.dev1713643365",
        "0.229.0",
        "0.229.1",
        "0.229.2",
        "0.229.2.dev1715873118",
        "0.229.2.dev1715881453",
        "0.230.0",
        "0.230.0.dev1716318708",
        "0.231.0",
        "0.231.1",
        "0.232.0",
        "0.232.1",
        "0.232.2",
        "0.233.0",
        "0.233.1",
        "0.233.2",
        "0.233.3",
        "0.234.0",
        "0.234.1",
        "0.234.2",
        "0.234.3",
        "0.235.0",
        "0.235.1",
        "0.235.1.dev1719337273",
        "0.235.2",
        "0.236.0",
        "0.236.1",
        "0.236.2",
        "0.237.0",
        "0.237.1",
        "0.237.2",
        "0.237.3",
        "0.238.0",
        "0.238.1",
        "0.239.0",
        "0.239.1",
        "0.239.2",
        "0.240.0",
        "0.240.1",
        "0.240.2",
        "0.240.3",
        "0.240.3.dev1726159932",
        "0.240.4",
        "0.241.0",
        "0.242.0",
        "0.243.0",
        "0.243.1",
        "0.244.0",
        "0.244.1",
        "0.245.0",
        "0.246.0",
        "0.246.1",
        "0.246.2",
        "0.246.3",
        "0.247.0",
        "0.247.1",
        "0.247.2",
        "0.248.0",
        "0.248.1",
        "0.249.0",
        "0.250.0",
        "0.250.1",
        "0.251.0",
        "0.252.0",
        "0.253.0",
        "0.253.1",
        "0.254.0",
        "0.254.1",
        "0.255.0",
        "0.256.0",
        "0.256.1",
        "0.257.0",
        "0.257.0.dev1735244504",
        "0.258.0",
        "0.258.1",
        "0.259.0",
        "0.259.1",
        "0.260.0",
        "0.260.1",
        "0.260.2",
        "0.260.3",
        "0.260.4",
        "0.261.0",
        "0.261.1",
        "0.262.0",
        "0.262.1",
        "0.262.2",
        "0.262.3",
        "0.262.4",
        "0.262.5",
        "0.262.6",
        "0.262.7.dev1743345593",
        "0.263.0",
        "0.263.0.dev1743450281",
        "0.263.0.dev1743450503",
        "0.263.0.dev1743450741",
        "0.263.0.dev1743582446",
        "0.263.1",
        "0.263.2",
        "0.264.0",
        "0.264.1",
        "0.265.0",
        "0.265.1",
        "0.266.0",
        "0.266.0.dev1744797470",
        "0.266.1",
        "0.267.0",
        "0.267.0.dev1746643548",
        "0.268.0",
        "0.268.1",
        "0.268.2",
        "0.268.2.dev1747436835",
        "0.269.0",
        "0.269.0.dev1746905409",
        "0.269.0.dev1747164009",
        "0.270.0",
        "0.270.1",
        "0.270.2",
        "0.270.3",
        "0.270.4",
        "0.270.5",
        "0.270.6",
        "0.271.0",
        "0.271.1",
        "0.271.2",
        "0.272.0",
        "0.272.1",
        "0.273.0",
        "0.273.1",
        "0.273.2",
        "0.273.3",
        "0.274.0",
        "0.274.1",
        "0.274.2",
        "0.274.3",
        "0.275.0",
        "0.275.1",
        "0.275.2",
        "0.275.3",
        "0.275.4",
        "0.275.5",
        "0.275.6",
        "0.275.7",
        "0.276.0",
        "0.276.0.dev1750672223",
        "0.276.0.dev1752831589",
        "0.276.1",
        "0.276.2",
        "0.277.0",
        "0.277.1",
        "0.278.0",
        "0.278.1",
        "0.279.0",
        "0.279.0.dev1754138688",
        "0.279.0.dev1754156227",
        "0.279.0.dev1754159379",
        "0.280.0",
        "0.281.0",
        "0.282.0",
        "0.283.0",
        "0.283.1",
        "0.283.2",
        "0.283.3",
        "0.284.0",
        "0.284.1",
        "0.284.2",
        "0.284.3",
        "0.284.4",
        "0.285.0",
        "0.285.0.dev1762469343",
        "0.286.0",
        "0.286.1",
        "0.287.0",
        "0.287.1",
        "0.287.2",
        "0.287.3",
        "0.287.4",
        "0.288.0",
        "0.288.1",
        "0.288.2",
        "0.288.3",
        "0.288.4",
        "0.289.0",
        "0.289.1",
        "0.289.2",
        "0.289.3",
        "0.289.4",
        "0.289.5",
        "0.289.6",
        "0.289.7",
        "0.289.8",
        "0.290.0",
        "0.291.0",
        "0.291.1",
        "0.291.2",
        "0.291.2.dev1770456508",
        "0.291.2.dev1771437961",
        "0.291.3",
        "0.292.0",
        "0.293.0",
        "0.294.0",
        "0.295.0",
        "0.296.0",
        "0.296.1",
        "0.296.2",
        "0.297.0",
        "0.298.0",
        "0.298.1",
        "0.299.0",
        "0.300.0",
        "0.301.0",
        "0.302.0",
        "0.303.0",
        "0.303.1",
        "0.304.0",
        "0.305.0",
        "0.306.0",
        "0.307.0",
        "0.307.1",
        "0.308.0",
        "0.308.1",
        "0.308.2",
        "0.308.3",
        "0.309.0",
        "0.310.0",
        "0.310.1",
        "0.310.2",
        "0.311.0",
        "0.311.1",
        "0.311.2",
        "0.311.3",
        "0.312.0",
        "0.312.1",
        "0.312.2",
        "0.312.3",
        "0.312.4",
        "0.313.0",
        "0.314.0",
        "0.314.1",
        "0.314.2",
        "0.314.3",
        "0.315.0",
        "0.315.1",
        "0.315.2",
        "0.315.3",
        "0.315.4",
        "0.315.5",
        "0.315.6"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47707",
    "GHSA-fr49-mhgj-crfc"
  ],
  "details": "Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a  dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.",
  "id": "PYSEC-2026-2284",
  "modified": "2026-07-13T05:51:37.880089Z",
  "published": "2026-06-04T15:16:55.283Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…