PyPI package
strawberry-graphql
pkg:pypi/strawberry-graphql
1 malicious version on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- MAL-2026-4771Malicious code in strawberry-graphql (PyPI)May 20, 2026
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-47707 | Med | 5.3 | >= 0.172.0, < 0.315.7 | 0.315.7 | Jun 4, 2026 | Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST | |
| CVE-2026-47706 | Med | 5.3 | >= 0.71.0, < 0.315.7 | 0.315.7 | Jun 4, 2026 | Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the de | |
| CVE-2026-35523 | Hig | 7.5 | < 0.312.3 | 0.312.3 | Apr 7, 2026 | Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been comple | |
| CVE-2026-35526 | Hig | 7.5 | < 0.312.3 | 0.312.3 | Apr 7, 2026 | Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscrib | |
| CVE-2025-22151 | Low | 3.7 | >= 0.182.0, < 0.257.0 | 0.257.0 | Jan 9, 2025 | Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability oc | |
| CVE-2024-47082 | — | < 0.243.0 | 0.243.0 | Sep 25, 2024 | Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integra |
- affected >= 0.172.0, < 0.315.7fixed 0.315.7
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST
- affected >= 0.71.0, < 0.315.7fixed 0.315.7
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the de
- affected < 0.312.3fixed 0.312.3
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been comple
- affected < 0.312.3fixed 0.312.3
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscrib
- affected >= 0.182.0, < 0.257.0fixed 0.257.0
Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability oc
- CVE-2024-47082Sep 25, 2024affected < 0.243.0fixed 0.243.0
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integra