Skip to main content

CVE-2026-35526

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-06 https://github.com/strawberry-graphql/strawberry GHSA-hv3w-m4g2-5x77
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 17, 2026 - 20:52 vuln.today
cvss_changed
Analysis Generated
Apr 06, 2026 - 19:00 vuln.today
Patch released
Apr 06, 2026 - 19:00 nvd
Patch available
CVE Published
Apr 06, 2026 - 18:00 nvd
HIGH 7.5

DescriptionGitHub Advisory

Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection.

An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.

AnalysisAI

Unauthenticated denial-of-service in Strawberry GraphQL WebSocket handlers allows remote attackers to crash Python servers via subscription flooding. The vulnerability affects both graphql-transport-ws and legacy graphql-ws protocol implementations, which fail to enforce per-connection subscription limits. An attacker can exhaust server memory and saturate the asyncio event loop by sending unlimited subscribe messages over a single WebSocket connection, leading to service degradation or out-of-memory crashes. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation is trivial given the low attack complexity (CVSS AC:L) and lack of authentication requirement (PR:N).

Technical ContextAI

Strawberry GraphQL is a Python GraphQL library built on asyncio that provides WebSocket subscription support through two protocol implementations: the modern graphql-transport-ws and the legacy graphql-ws protocol. The vulnerability stems from improper resource management (CWE-400: Uncontrolled Resource Consumption) in the subscription message handlers. When a client sends a subscribe message with a unique operation ID, the server unconditionally allocates an asyncio.Task and instantiates an Operation object containing an async generator. Without rate limiting or connection-scoped subscription counting, each subscribe message creates unbounded concurrent tasks. Python's asyncio event loop becomes saturated with pending tasks, while each async generator and associated Operation object consumes heap memory linearly with the number of subscriptions. The affected package is distributed via PyPI as strawberry-graphql (CPE: pkg:pip/strawberry-graphql), and both WebSocket protocol handlers share the same vulnerable code path for subscription lifecycle management.

RemediationAI

Upgrade strawberry-graphql to version 0.312.3 or later, which introduces per-connection subscription limits to prevent unbounded resource allocation. The fix commit is available at https://github.com/strawberry-graphql/strawberry/commit/0977a4e6b41b7cfe3e9d8ba84a43458a2b0c54c2 and has been released in the official 0.312.3 package published at https://github.com/strawberry-graphql/strawberry/releases/tag/0.312.3. Organizations using pip should update via 'pip install --upgrade strawberry-graphql>=0.312.3' and verify the installed version. As a temporary mitigation for systems where immediate patching is not feasible, consider implementing connection-level rate limiting at the reverse proxy or load balancer layer to restrict the number of WebSocket messages per connection per time window, though this is less effective than the vendor's subscription count enforcement. Additionally, review logging and monitoring to detect abnormal subscription patterns (high subscribe message rates from single connections) and configure resource limits (memory cgroups, container resource quotas) to contain the blast radius of DoS attempts until patching is complete.

Share

CVE-2026-35526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy