{"url":"http://public2.vulnerablecode.io/api/packages/49429?format=json","purl":"pkg:pypi/strawberry-graphql@0.304.0","type":"pypi","namespace":"","name":"strawberry-graphql","version":"0.304.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.312.3","latest_non_vulnerable_version":"0.312.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37275?format=json","vulnerability_id":"VCID-tevu-phwc-vbc4","summary":"Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init.  This vulnerability is fixed in 0.312.3.","references":[{"reference_url":"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49449?format=json","purl":"pkg:pypi/strawberry-graphql@0.312.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/strawberry-graphql@0.312.3"}],"aliases":["CVE-2026-35523","GHSA-vpwc-v33q-mq89","PYSEC-2026-133"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tevu-phwc-vbc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37274?format=json","vulnerability_id":"VCID-vyty-brcb-m7b3","summary":"Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.","references":[{"reference_url":"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49449?format=json","purl":"pkg:pypi/strawberry-graphql@0.312.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/strawberry-graphql@0.312.3"}],"aliases":["CVE-2026-35526","GHSA-hv3w-m4g2-5x77","PYSEC-2026-134"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vyty-brcb-m7b3"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/strawberry-graphql@0.304.0"}