CVE-2026-47706: Application-Level Denial of Service via Uncontrolled Recursion in Strawberry GraphQL
Vulnerability ID: CVE-2026-47706
CVSS Score: 5.3
Published: 2026-06-04
An application-level Denial of Service vulnerability exists in the Strawberry GraphQL library (versions 0.71.0 through 0.315.6) due to uncontrolled recursion within the QueryDepthLimiter and MaxAliasesLimiter extensions when processing circular fragment references.
TL;DR
A recursive fragment loop triggers a RecursionError in Python, crashing worker threads/processes and resulting in complete Denial of Service.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-674 / CWE-400
- Attack Vector: Network (AV:N)
- CVSS Score: 5.3 (Medium)
- Exploit Status: Proof of Concept Available
- CISA KEV Status: Not Listed
- Impact: Availability (Denial of Service)
Affected Systems
- Strawberry GraphQL
-
strawberry-graphql: >= 0.71.0, <= 0.315.6 (Fixed in:
0.315.7)
Mitigation Strategies
- Upgrade to strawberry-graphql version 0.315.7 or later
- Temporarily disable QueryDepthLimiter and MaxAliasesLimiter
- Validate incoming GraphQL queries at an API gateway layer
Remediation Steps:
- Update the requirements.txt, poetry.lock, or Pipfile to specify strawberry-graphql>=0.315.7
- Run dependency installation tool (e.g., pip install --upgrade strawberry-graphql)
- Deploy updated container images to staging and production environments
- Verify validation rules reject circular fragments without throwing internal server errors
References
- GitHub Security Advisory GHSA-qfwv-87qj-98xq
- Strawberry GraphQL Release v0.315.7
- CVE-2026-47706 Record Database
Read the full report for CVE-2026-47706 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)