VuXML: py-strawberry-graphql -- Multiple vulnerabilities

VuXML: py-strawberry-graphql -- Multiple vulnerabilities
FreeBSD
VuXML: Documenting security issues in FreeBSD and the
FreeBSD Ports Collection
py-strawberry-graphql -- Multiple vulnerabilities
Affected packages
py310-strawberry-graphql
0.312.3
py311-strawberry-graphql
0.312.3
py312-strawberry-graphql
0.312.3
py313-strawberry-graphql
0.312.3
py313t-strawberry-graphql
0.312.3
py314-strawberry-graphql
0.312.3
py310-dj52-strawberry-graphql
0.312.3
py311-dj52-strawberry-graphql
0.312.3
py312-dj52-strawberry-graphql
0.312.3
py313-dj52-strawberry-graphql
0.312.3
py313t-dj52-strawberry-graphql
0.312.3
py314-dj52-strawberry-graphql
0.312.3
Details
VuXML ID
6a0aa20d-399f-11f1-8626-901b0edee044
Discovery
2026-04-04
Entry
2026-04-17
The Strawberry GraphQL project reports:
Strawberry up until version 0.312.3 is vulnerable to an authentication bypass
on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler
does not verify that a 'connection_init' handshake has been completed before
processing start (subscription) messages. This allows a remote attacker to skip
the 'on_ws_connect' authentication hook entirely by connecting with the
graphql-ws subprotocol and sending a start message directly, without ever
sending 'connection_init'.

The graphql-transport-ws subprotocol handler is not affected, as it correctly
gates subscription operations on a connection_acknowledged flag. However, both
subprotocols are enabled by default in all framework integrations that support
websockets, and the subprotocol is selected by the client via the
Sec-WebSocket-Protocol header.

Any application relying on 'on_ws_connect' for authentication or authorization
is affected.
[source]
Strawberry GraphQL's WebSocket subscription handlers for both the
'graphql-transport-ws' and legacy 'graphql-ws' protocols allocate an
asyncio.Task and associated Operation object for every incoming subscribe
message without enforcing any limit on the number of active subscriptions per
connection.

An unauthenticated attacker can open a single WebSocket connection, send
connection_init, and then flood subscribe messages with unique IDs. Each
message unconditionally spawns a new 'asyncio.Task' and async generator,
causing linear memory growth and event loop saturation. This leads to server
degradation or an OOM crash.
[source]
References
CVE Name
CVE-2026-35523
CVE Name
CVE-2026-35526
URL
URL
Copyright © 2003-2005
Jacques Vidrine and contributors
Please see the source of this document for full copyright
information.