Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/strawberry-graphql@0.133.6.dev1665517139
Typepypi
Namespace
Namestrawberry-graphql
Version0.133.6.dev1665517139
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.312.3
Latest_non_vulnerable_version0.312.3
Affected_by_vulnerabilities
0
url VCID-tevu-phwc-vbc4
vulnerability_id VCID-tevu-phwc-vbc4
summary Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.
references
0
reference_url https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89
fixed_packages
0
url pkg:pypi/strawberry-graphql@0.312.3
purl pkg:pypi/strawberry-graphql@0.312.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/strawberry-graphql@0.312.3
aliases CVE-2026-35523, GHSA-vpwc-v33q-mq89, PYSEC-2026-133
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tevu-phwc-vbc4
1
url VCID-uek4-b39n-ruan
vulnerability_id VCID-uek4-b39n-ruan
summary Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.
references
0
reference_url https://github.com/strawberry-graphql/strawberry/commit/37265b230e511480a9ceace492f9f6a484be1387
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/strawberry-graphql/strawberry/commit/37265b230e511480a9ceace492f9f6a484be1387
1
reference_url https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-79gp-q4wv-33fr
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-79gp-q4wv-33fr
2
reference_url https://strawberry.rocks/docs/breaking-changes/0.243.0
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://strawberry.rocks/docs/breaking-changes/0.243.0
fixed_packages
0
url pkg:pypi/strawberry-graphql@0.243.0
purl pkg:pypi/strawberry-graphql@0.243.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tevu-phwc-vbc4
1
vulnerability VCID-vyty-brcb-m7b3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/strawberry-graphql@0.243.0
aliases CVE-2024-47082, GHSA-79gp-q4wv-33fr, PYSEC-2024-171
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uek4-b39n-ruan
2
url VCID-vyty-brcb-m7b3
vulnerability_id VCID-vyty-brcb-m7b3
summary Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.
references
0
reference_url https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77
fixed_packages
0
url pkg:pypi/strawberry-graphql@0.312.3
purl pkg:pypi/strawberry-graphql@0.312.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/strawberry-graphql@0.312.3
aliases CVE-2026-35526, GHSA-hv3w-m4g2-5x77, PYSEC-2026-134
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vyty-brcb-m7b3
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/strawberry-graphql@0.133.6.dev1665517139