Strawberry
Monthly
Denial-of-service via alias amplification in Strawberry GraphQL (versions 0.172.0 through 0.315.6) allows unauthenticated remote attackers to exhaust server resources by bypassing the MaxAliasesLimiter extension using crafted GraphQL fragment spreads. The limiter performs only a static AST alias count, missing the multiplicative expansion that occurs at execution time when a fragment containing N aliases is spread M times - producing N×M resolved aliases against a limit enforced at N+M. A publicly available proof-of-concept exists demonstrating the bypass; no active exploitation has been confirmed in CISA KEV at time of analysis.
Infinite recursion in Strawberry GraphQL's QueryDepthLimiter extension allows unauthenticated remote attackers to crash the validation process and exhaust server resources by submitting queries with circular fragment references. Affected versions 0.71.0 through 0.315.6 of the pip package strawberry-graphql fail to track visited fragments in the determine_depth function, meaning a trivially crafted two-fragment cycle (A spreads B, B spreads A) triggers a Python RecursionError before any query execution occurs. A public proof-of-concept is confirmed in GHSA-qfwv-87qj-98xq; no active exploitation is listed in CISA KEV at time of analysis.
Denial-of-service via alias amplification in Strawberry GraphQL (versions 0.172.0 through 0.315.6) allows unauthenticated remote attackers to exhaust server resources by bypassing the MaxAliasesLimiter extension using crafted GraphQL fragment spreads. The limiter performs only a static AST alias count, missing the multiplicative expansion that occurs at execution time when a fragment containing N aliases is spread M times - producing N×M resolved aliases against a limit enforced at N+M. A publicly available proof-of-concept exists demonstrating the bypass; no active exploitation has been confirmed in CISA KEV at time of analysis.
Infinite recursion in Strawberry GraphQL's QueryDepthLimiter extension allows unauthenticated remote attackers to crash the validation process and exhaust server resources by submitting queries with circular fragment references. Affected versions 0.71.0 through 0.315.6 of the pip package strawberry-graphql fail to track visited fragments in the determine_depth function, meaning a trivially crafted two-fragment cycle (A spreads B, B spreads A) triggers a Python RecursionError before any query execution occurs. A public proof-of-concept is confirmed in GHSA-qfwv-87qj-98xq; no active exploitation is listed in CISA KEV at time of analysis.