CVE-2026-35526
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection.
An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.
AnalysisAI
Unauthenticated denial-of-service in Strawberry GraphQL WebSocket handlers allows remote attackers to crash Python servers via subscription flooding. The vulnerability affects both graphql-transport-ws and legacy graphql-ws protocol implementations, which fail to enforce per-connection subscription limits. An attacker can exhaust server memory and saturate the asyncio event loop by sending unlimited subscribe messages over a single WebSocket connection, leading to service degradation or out-of-memory crashes. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation is trivial given the low attack complexity (CVSS AC:L) and lack of authentication requirement (PR:N).
Technical ContextAI
Strawberry GraphQL is a Python GraphQL library built on asyncio that provides WebSocket subscription support through two protocol implementations: the modern graphql-transport-ws and the legacy graphql-ws protocol. The vulnerability stems from improper resource management (CWE-400: Uncontrolled Resource Consumption) in the subscription message handlers. When a client sends a subscribe message with a unique operation ID, the server unconditionally allocates an asyncio.Task and instantiates an Operation object containing an async generator. Without rate limiting or connection-scoped subscription counting, each subscribe message creates unbounded concurrent tasks. Python's asyncio event loop becomes saturated with pending tasks, while each async generator and associated Operation object consumes heap memory linearly with the number of subscriptions. The affected package is distributed via PyPI as strawberry-graphql (CPE: pkg:pip/strawberry-graphql), and both WebSocket protocol handlers share the same vulnerable code path for subscription lifecycle management.
RemediationAI
Upgrade strawberry-graphql to version 0.312.3 or later, which introduces per-connection subscription limits to prevent unbounded resource allocation. The fix commit is available at https://github.com/strawberry-graphql/strawberry/commit/0977a4e6b41b7cfe3e9d8ba84a43458a2b0c54c2 and has been released in the official 0.312.3 package published at https://github.com/strawberry-graphql/strawberry/releases/tag/0.312.3. Organizations using pip should update via 'pip install --upgrade strawberry-graphql>=0.312.3' and verify the installed version. As a temporary mitigation for systems where immediate patching is not feasible, consider implementing connection-level rate limiting at the reverse proxy or load balancer layer to restrict the number of WebSocket messages per connection per time window, though this is less effective than the vendor's subscription count enforcement. Additionally, review logging and monitoring to detect abnormal subscription patterns (high subscribe message rates from single connections) and configure resource limits (memory cgroups, container resource quotas) to contain the blast radius of DoS attempts until patching is complete.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hv3w-m4g2-5x77