VulnerableCode Package Details - pkg:pypi/strawberry-graphql@0.81.1.dev1663258661

Search for packages

Vulnerability	Summary	Fixed by
VCID-tevu-phwc-vbc4 Aliases: CVE-2026-35523 GHSA-vpwc-v33q-mq89 PYSEC-2026-133	Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.	0.312.3 Affected by 0 other vulnerabilities.
VCID-uek4-b39n-ruan Aliases: CVE-2024-47082 GHSA-79gp-q4wv-33fr PYSEC-2024-171	Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.	0.243.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vyty-brcb-m7b3 Aliases: CVE-2026-35526 GHSA-hv3w-m4g2-5x77 PYSEC-2026-134	Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.	0.312.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-tevu-phwc-vbc4
Aliases:
CVE-2026-35523
GHSA-vpwc-v33q-mq89
PYSEC-2026-133

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.

0.312.3
Affected by 0 other vulnerabilities.

VCID-uek4-b39n-ruan
Aliases:
CVE-2024-47082
GHSA-79gp-q4wv-33fr
PYSEC-2024-171

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.

0.243.0
Affected by 2 other vulnerabilities.

VCID-vyty-brcb-m7b3
Aliases:
CVE-2026-35526
GHSA-hv3w-m4g2-5x77
PYSEC-2026-134

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.

0.312.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:24:41.554350+00:00	Pypa Importer	Affected by	VCID-tevu-phwc-vbc4	https://github.com/pypa/advisory-database/blob/main/vulns/strawberry-graphql/PYSEC-2026-133.yaml	38.6.0
2026-06-02T04:24:36.873132+00:00	Pypa Importer	Affected by	VCID-vyty-brcb-m7b3	https://github.com/pypa/advisory-database/blob/main/vulns/strawberry-graphql/PYSEC-2026-134.yaml	38.6.0
2026-06-02T04:21:51.940280+00:00	Pypa Importer	Affected by	VCID-uek4-b39n-ruan	https://github.com/pypa/advisory-database/blob/main/vulns/strawberry-graphql/PYSEC-2024-171.yaml	38.6.0