PatchSiren cyber security CVE debrief
CVE-2026-47707 strawberry-graphql CVE debrief
CVE-2026-47707 is a vulnerability in the MaxAliasesLimiter extension of Strawberry GraphQL, a library for creating GraphQL APIs. Versions 0.172.0 through 0.315.6 are affected. The extension fails to account for the multiplicative effect of FragmentSpreadNode, allowing attackers to bypass alias limits. This can lead to a denial-of-service (DOS) via resource exhaustion. The issue has been fixed in version 0.315.7.
- Vendor
- strawberry-graphql
- Product
- strawberry
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-05
Who should care
Users of Strawberry GraphQL, particularly those who have not upgraded to version 0.315.7, should be aware of this vulnerability and take necessary precautions.
Technical summary
The MaxAliasesLimiter extension in Strawberry GraphQL does not correctly account for the amplification effect of FragmentSpreadNode. This allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a DOS via resource exhaustion.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Strawberry GraphQL version 0.315.7 or later.
- Review and adjust alias limits according to your application's specific needs.
Evidence notes
The CVE-2026-47707 record and associated details are sourced from official databases and vendor advisories.
Official resources
-
CVE-2026-47707 CVE record
CVE.org
-
CVE-2026-47707 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2026-47707 was published on 2026-06-04T15:16:55.283Z and modified on 2026-06-05T17:38:44.720Z.