Suggestions search

Published

Filter by:

With package: pkgsRocm.python3Packages.strawberry-graphql

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-35526

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 1 day, 23 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 8 hours ago
@LeSuisse removed package pkgsRocm.python3Packages.strawberry-django 2 days ago
@LeSuisse removed package python313Packages.strawberry-django 2 days ago
@LeSuisse removed package python312Packages.strawberry-django 2 days ago
@LeSuisse removed package strawberry-qt6 2 days ago
@LeSuisse removed package strawberry 2 days ago
@LeSuisse accepted 2 days ago
@LeSuisse published on GitHub 1 day, 23 hours ago

Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.

References

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77 x_refsource_CONFIRM

Affected products

strawberry

==< 0.312.3

Matching in nixpkgs

pkgs.python312Packages.strawberry-graphql

GraphQL library for Python that leverages type annotations

nixos-25.11 0.278.0
- nixos-25.11-small 0.278.0
- nixpkgs-25.11-darwin 0.278.0

pkgs.python313Packages.strawberry-graphql

GraphQL library for Python that leverages type annotations

nixos-unstable 0.289.2
- nixpkgs-unstable 0.289.2
- nixos-unstable-small 0.289.2
nixos-25.11 0.278.0
- nixos-25.11-small 0.278.0
- nixpkgs-25.11-darwin 0.278.0

pkgs.pkgsRocm.python3Packages.strawberry-graphql

GraphQL library for Python that leverages type annotations

nixos-unstable 0.289.2
- nixpkgs-unstable 0.289.2
- nixos-unstable-small 0.289.2

Ignored packages (5)

pkgs.strawberry

Music player and music collection organizer

nixos-unstable 1.2.18
- nixpkgs-unstable 1.2.18
- nixos-unstable-small 1.2.18
nixos-25.11 1.2.13
- nixos-25.11-small 1.2.13
- nixpkgs-25.11-darwin 1.2.13

pkgs.strawberry-qt6

Music player and music collection organizer

pkgs.python312Packages.strawberry-django

Strawberry GraphQL Django extension

nixos-25.11 0.65.1
- nixos-25.11-small 0.65.1
- nixpkgs-25.11-darwin 0.65.1

pkgs.python313Packages.strawberry-django

Strawberry GraphQL Django extension

nixos-unstable 0.75.1
- nixpkgs-unstable 0.75.1
- nixos-unstable-small 0.75.1
nixos-25.11 0.65.1
- nixos-25.11-small 0.65.1
- nixpkgs-25.11-darwin 0.65.1

pkgs.pkgsRocm.python3Packages.strawberry-django

Strawberry GraphQL Django extension

nixos-unstable 0.75.1
- nixpkgs-unstable 0.75.1
- nixos-unstable-small 0.75.1

Package maintainers

@Izorkin Yurii Izorkin <Izorkin@gmail.com>

Permalink CVE-2026-35523

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 1 day, 23 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 8 hours ago
@LeSuisse removed package strawberry 1 day, 23 hours ago
@LeSuisse removed package strawberry-qt6 1 day, 23 hours ago
@LeSuisse removed package python312Packages.strawberry-django 1 day, 23 hours ago
@LeSuisse removed package python313Packages.strawberry-django 1 day, 23 hours ago
@LeSuisse removed package pkgsRocm.python3Packages.strawberry-django 1 day, 23 hours ago
@LeSuisse accepted 1 day, 23 hours ago
@LeSuisse published on GitHub 1 day, 23 hours ago

Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.

References

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89 x_refsource_CONFIRM

Affected products

strawberry

==< 0.312.3

Matching in nixpkgs

pkgs.python312Packages.strawberry-graphql

GraphQL library for Python that leverages type annotations

nixos-25.11 0.278.0
- nixos-25.11-small 0.278.0
- nixpkgs-25.11-darwin 0.278.0

pkgs.python313Packages.strawberry-graphql

GraphQL library for Python that leverages type annotations

nixos-unstable 0.289.2
- nixpkgs-unstable 0.289.2
- nixos-unstable-small 0.289.2
nixos-25.11 0.278.0
- nixos-25.11-small 0.278.0
- nixpkgs-25.11-darwin 0.278.0