CVE-2026-35526

HIGH

Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions

Title source: cna

Description

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.

References (1)

[X_Refsource_Confirm] https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

pypi/strawberry-graphql 0 - 0.312.3PyPI

strawberry/strawberry_graphql < 0.312.3

strawberry-graphql/strawberry < 0.312.3

Published Apr 07, 2026

Tracked Since Apr 07, 2026