By vendor

Strawberry vulnerabilities

Known CVEs affecting Strawberry products, prioritized by severity, with SEC.co remediation and detection guidance.

3 published vulnerabilities

  • CVE-2026-47706MEDIUM 5.3

    Strawberry GraphQL versions 0.71.0 through 0.315.6 contain a denial-of-service vulnerability in the QueryDepthLimiter extension. An attacker can craft a GraphQL query with circular fragment references that causes the validation process to enter infinite recursion, crashing the server. This affects any GraphQL API built with vulnerable Strawberry versions. The issue is resolved in version 0.315.7.

  • CVE-2026-47707MEDIUM 5.3

    Strawberry GraphQL, a Python library for building GraphQL APIs, contains a flaw in its MaxAliasesLimiter security extension that allows attackers to bypass protective limits on query aliases. The vulnerability exists because the extension counts static aliases correctly but fails to account for how fragment spreads multiply and amplify those aliases during execution. An attacker can craft a malicious GraphQL query using fragment spreads to force the server to resolve far more aliases than the configured limit permits, exhausting server resources and causing a denial of service. The issue affects versions 0.172.0 through 0.315.6; version 0.315.7 and later contain the fix.

  • CVE-2026-45739LOW 3.1

    Strawberry GraphQL, a popular library for building GraphQL APIs, has a flaw in its bundled GraphiQL interface (versions 0.288.4 through 0.315.3) where sensitive headers entered by developers are inadvertently exposed in the browser URL. When a developer pastes an authorization token or other credential into the GraphiQL headers editor, that value becomes part of the page URL and persists in browser history, shareable links, and server access logs. This creates a credential leakage risk if someone gains access to those logs or if links are shared. The issue has been patched in version 0.315.4.