CVE-2024-47082 in graphql
Summary
by MITRE • 09/25/2024
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/09/2025
The vulnerability described in CVE-2024-47082 affects the Strawberry GraphQL library, a popular Python implementation for building GraphQL APIs. This security flaw represents a critical default configuration issue that left all installations vulnerable to cross-site request forgery attacks without explicit user intervention. The vulnerability specifically impacts the multipart file upload functionality that adheres to the GraphQL multipart request specification, which became enabled by default in versions prior to 0.243.0. The default enabling of this feature created a dangerous security landscape where developers could unknowingly expose their GraphQL endpoints to CSRF attacks simply by using the library without additional security configuration.
The technical implementation of this vulnerability stems from the library's default behavior in HTTP view integrations, particularly within the Django framework where the CsrfViewMiddleware was automatically exempted from CSRF protection. This design decision created a fundamental security gap where the GraphQL endpoint could accept multipart requests without proper CSRF token validation. The flaw operates at the integration layer where the library's HTTP handlers were configured to accept file uploads without requiring CSRF tokens, which is particularly problematic since GraphQL endpoints often handle sensitive data operations. The vulnerability manifests when a malicious actor crafts a request that appears to originate from a legitimate user, exploiting the lack of CSRF protection mechanisms that should normally validate the authenticity of requests.
The operational impact of this vulnerability extends across all Strawberry GraphQL installations using HTTP view integrations, affecting both developers and organizations that rely on the library for their GraphQL API implementations. The default enabling of multipart file upload support created a scenario where security was compromised out-of-the-box, meaning that even organizations with proper security protocols in place could be vulnerable if they had not explicitly configured CSRF protection. This is particularly concerning in environments where developers may not be fully aware of the security implications of using third-party libraries with default configurations that prioritize convenience over security. The vulnerability affects not just the general HTTP view integrations but specifically targets the Django integration where the exemption from built-in CSRF protection was the primary vector for exploitation.
The remediation for this vulnerability required a patch release in version 0.243.0 which addressed the default configuration issues by disabling the automatic enabling of multipart file upload support and ensuring proper CSRF protection mechanisms are in place. This update represents a shift from a permissive default to a more secure configuration that requires explicit enabling of potentially dangerous features. Security practitioners should immediately update their Strawberry GraphQL installations to version 0.243.0 or later to address this vulnerability. The fix aligns with security best practices outlined in CWE-352, which specifically addresses cross-site request forgery vulnerabilities, and follows the principles established in the ATT&CK framework's web application attacks category where CSRF is classified as a technique for privilege escalation and unauthorized operations. Organizations should also review their existing GraphQL endpoints for any potential exploitation that may have occurred during the period when the vulnerability was active, particularly focusing on file upload operations that could have been leveraged by attackers.