CVE-2026-47706

Published: Jun 4, 2026Modified: Jun 5, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue.

Affected (1)

Products: Strawberry: Strawberry Graphql

1 product

Strawberry Graphql

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Strawberry Strawberry Graphql	From 0.71.0 to 0.315.7

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

References (3)

https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-qfwv-87qj-98xq

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-qfwv-87qj-98xq

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.