Plateforme
python
Composant
strawberry-graphql
Corrigé dans
0.312.4
0.312.3
CVE-2026-35526 describes a denial-of-service (DoS) vulnerability within Strawberry GraphQL, a Python library for building GraphQL APIs. This flaw arises from the uncontrolled allocation of asynchronous tasks for incoming subscription messages, allowing an attacker to overwhelm the server. Versions 0.0.0 through 0.312.2 are affected; upgrading to version 0.312.3 resolves the issue.
The vulnerability allows an unauthenticated attacker to initiate a single WebSocket connection and then rapidly send a flood of unique subscription messages. Each message triggers the creation of a new asyncio.Task and associated Operation object, without any rate limiting. This uncontrolled task creation can quickly exhaust server resources, including CPU, memory, and potentially network bandwidth. The result is a denial of service, preventing legitimate users from accessing the GraphQL API. The blast radius extends to all users relying on the affected GraphQL endpoint, and the impact can be significant, especially in production environments.
This vulnerability was publicly disclosed on 2026-04-07. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a potential target. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. Active exploitation is not confirmed, but the lack of a required authentication makes it a high-priority concern.
Applications utilizing Strawberry GraphQL for building GraphQL APIs, particularly those exposed to untrusted networks or lacking robust authentication mechanisms, are at risk. Shared hosting environments where multiple applications share the same server resources are especially vulnerable, as a single attacker could impact all hosted applications.
• python / server:
import asyncio
import strawberry
# Check for Strawberry GraphQL version
import strawberry
print(strawberry.__version__)
# Monitor CPU and memory usage for unusual spikes during WebSocket connections
import psutil
while True:
cpu_usage = psutil.cpu_percent(interval=1)
memory_usage = psutil.virtual_memory().percent
print(f'CPU Usage: {cpu_usage}%, Memory Usage: {memory_usage}%')
asyncio.sleep(5)disclosure
Statut de l'Exploit
EPSS
0.06% (percentile 18%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade Strawberry GraphQL to version 0.312.3 or later, which includes a fix to limit the number of active subscriptions per connection. If upgrading immediately is not feasible, consider implementing rate limiting on the WebSocket connection to restrict the number of subscription messages received per unit of time. Web application firewalls (WAFs) can be configured to detect and block suspicious patterns of subscription requests. Monitoring server resource utilization (CPU, memory) is crucial to identify potential DoS attacks.
Actualice Strawberry GraphQL a la versión 0.312.3 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta versión introduce límites en el número de suscripciones WebSocket activas por conexión, previniendo el consumo excesivo de recursos y posibles fallos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-35526 is a denial-of-service vulnerability in Strawberry GraphQL versions 0.0.0 through 0.312.2, allowing attackers to exhaust server resources by flooding subscription messages.
If you are using Strawberry GraphQL versions 0.0.0 through 0.312.2, you are potentially affected by this vulnerability. Upgrade to 0.312.3 or later to mitigate the risk.
The recommended fix is to upgrade Strawberry GraphQL to version 0.312.3 or later. Consider implementing rate limiting on WebSocket connections as a temporary workaround.
Active exploitation has not been confirmed, but the vulnerability's ease of exploitation makes it a potential target. Continuous monitoring is advised.
Refer to the Strawberry GraphQL project's official advisory and release notes for detailed information and updates: [https://strawberry.py/docs/releases](https://strawberry.py/docs/releases)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.