Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1877

NIXPKGS-2026-1877
published 6 hours ago
Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Permalink CVE-2026-47707
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 6 hours ago by @LeSuisse Activity log
  • Created suggestion 11 hours ago
  • @LeSuisse ignored
    3 packages
    • strawberry
    • python313Packages.strawberry-django
    • pkgsRocm.python3Packages.strawberry-django
    7 hours ago
  • @LeSuisse accepted 7 hours ago
  • @LeSuisse published on GitHub 6 hours ago
Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.

Affected products

strawberry
  • ==>= 0.172.0, < 0.315.7

Matching in nixpkgs

Ignored packages (3)

Package maintainers