CVE-2026-47706: Strawberry GraphQL QueryDepthLimiter Denial of Service
Strawberry GraphQL versions 0.71.0 through 0.315.6 contain a denial-of-service vulnerability in the QueryDepthLimiter extension. An attacker can craft a GraphQL query with circular fragment references that causes the validation process to enter infinite recursion, crashing the server. This affects any GraphQL API built with vulnerable Strawberry versions. The issue is resolved in version 0.315.7.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-400, CWE-674
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the QueryDepthLimiter extension's determine_depth function, which lacks proper cycle detection when evaluating fragment spreads. When a query contains circular references between fragments, the recursive depth calculation never terminates, triggering a RecursionError that halts the validation pipeline. This is a classic algorithmic flaw where defensive programming—specifically, tracking visited nodes to prevent re-entry—was omitted from the traversal logic.
Business impact
Any production GraphQL service running Strawberry GraphQL in the vulnerable version range can be trivially taken offline by an unauthenticated attacker sending a single malicious query. Since no authentication is required and the attack is network-accessible, the business impact is service unavailability without resource-intensive DDoS infrastructure. For API-dependent applications, this translates to customer-facing downtime and potential SLA violations.
Affected systems
Strawberry GraphQL versions 0.71.0 through 0.315.6 are affected. Any GraphQL API or service built on these versions using the QueryDepthLimiter extension is vulnerable. This includes both direct library usage and any framework or SDK that depends on Strawberry GraphQL in the affected range. Verify your dependency chain for transitive Strawberry GraphQL inclusions.
Exploitability
Exploitability is straightforward: no authentication, privileges, or user interaction are required. An attacker only needs network access to the GraphQL endpoint and the ability to submit a query with circular fragment references. CVSS vector AV:N/AC:L/PR:N/UI:N indicates low complexity and high accessibility. Practical exploit code is trivial to construct and requires no special tooling beyond standard GraphQL clients.
Remediation
Upgrade Strawberry GraphQL to version 0.315.7 or later. This version includes cycle detection in the QueryDepthLimiter extension's determine_depth function, preventing infinite recursion on circular fragments. Review your dependency management to identify all services using Strawberry GraphQL and prioritize patching based on traffic and criticality.
Patch guidance
Update to Strawberry GraphQL 0.315.7 or a later stable release. This is a straightforward dependency upgrade; no configuration changes are required. Test the upgraded version in a staging environment to verify compatibility with your GraphQL schema and extensions. Monitor application logs after deployment to confirm validation behavior remains as expected. If you are unable to upgrade immediately, implement network-level query complexity limits or WAF rules to reject deeply nested or circular fragment queries as a temporary compensating control.
Detection guidance
Monitor for RecursionError or RuntimeError exceptions in your GraphQL validation logs. Enable detailed logging in the Strawberry GraphQL validation layer to capture query structures that trigger errors. Analyze incoming queries for circular fragment references or unusual nesting patterns using query analysis tools. Network IDS/IPS signatures targeting GraphQL recursive patterns may help detect attack attempts, though signature-based detection is less effective than dependency tracking and version monitoring.
Why prioritize this
Although the CVSS score is MEDIUM (5.3), prioritization should be HIGH for internet-facing or production GraphQL APIs because exploitability is trivial and impact is immediate service disruption. Organizations running Strawberry GraphQL should patch within 1–2 weeks depending on deployment complexity and testing requirements. Internal or non-critical GraphQL services can follow standard patch cycles.
Risk score, explained
The CVSS score of 5.3 reflects availability impact (A:L) with no confidentiality or integrity effects, low attack complexity, and no privilege or user interaction barriers. The 'L' in availability acknowledges that while the denial of service is real and network-accessible, it is localized to the validation layer and does not necessarily compromise underlying data or systems permanently. However, operational risk is high due to ease of exploitation.
Frequently asked questions
Does this vulnerability require authentication to exploit?
No. The vulnerability is triggered during query validation before authentication checks occur. Any unauthenticated attacker with network access to the GraphQL endpoint can submit a malicious query.
How can we detect if we are vulnerable?
Check your Strawberry GraphQL dependency version using your package manager (pip, npm, etc.). If it is between 0.71.0 and 0.315.6 inclusive, you are vulnerable. Review your requirements.txt, pyproject.toml, or equivalent lock file.
Is there a workaround if we cannot upgrade immediately?
Temporary mitigations include deploying a WAF rule to block queries with excessive fragment nesting, implementing connection-level rate limiting, or disabling the QueryDepthLimiter extension if your threat model permits. However, these are not substitutes for upgrading.
Does this affect GraphQL clients or only Strawberry servers?
This affects Strawberry GraphQL servers exclusively. Clients are not vulnerable. Any application or service that uses Strawberry to build a GraphQL API is at risk if running a vulnerable version.
This analysis is provided for informational purposes and represents the state of the vulnerability as of the published date. Patch version numbers and affected ranges are based on vendor advisory data. Organizations should verify compatibility and conduct testing before deploying patches to production. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for any actions taken in reliance on it. Consult official Strawberry GraphQL security documentation and your organization's security policy for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47707MEDIUMStrawberry GraphQL Fragment Spread Alias Bypass DoS
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability
- CVE-2026-10156MEDIUMOpen5GS Resource Exhaustion Vulnerability in nf-instances Endpoint