CVE-2026-47706 in strawberry
Summary
by MITRE • 06/04/2026
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/05/2026
The Strawberry GraphQL library presents a critical vulnerability in its QueryDepthLimiter extension that affects versions ranging from 0.71.0 through 0.315.6. This flaw manifests as an application-level denial of service condition that stems from inadequate cycle detection mechanisms within fragment spread processing. The vulnerability specifically targets the determine_depth function which fails to properly identify circular references in GraphQL queries containing fragment spreads. When such queries are processed, the function enters infinite recursion causing a RecursionError that ultimately crashes the validation process and renders the GraphQL API unavailable to legitimate users.
The technical implementation of this vulnerability operates through the GraphQL query parsing and validation phases where the QueryDepthLimiter extension attempts to calculate query depth to prevent overly complex queries from consuming excessive resources. The absence of cycle detection in fragment processing means that when a query contains circular references between fragments, the recursive depth calculation function continues indefinitely without termination. This recursive loop consumes system resources rapidly and eventually exhausts the available stack space leading to process termination. The vulnerability represents a classic denial of service attack vector that exploits the fundamental recursive nature of GraphQL fragment resolution without proper safeguards against circular dependencies.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential system instability and resource exhaustion across affected applications. When exploited, the vulnerability causes immediate application crashes during query validation, forcing administrators to restart services and potentially leading to extended downtime for affected systems. The issue affects any application utilizing Strawberry GraphQL with the QueryDepthLimiter extension enabled, making it particularly dangerous in production environments where GraphQL APIs serve critical business functions. The vulnerability's exploitation requires only a specially crafted GraphQL query containing circular fragment references, making it easily accessible to attackers seeking to disrupt services without requiring advanced technical skills.
This vulnerability aligns with CWE-674, which describes "Uncontrolled Recursion" as a weakness where a program fails to properly check for recursive calls that could lead to stack overflow conditions. The flaw also maps to ATT&CK technique T1499.004, "Endpoint Denial of Service," which encompasses attacks that target application-level resources to render systems unavailable. Organizations using affected versions of Strawberry GraphQL should prioritize immediate patching to version 0.315.7 where the issue has been resolved through implementation of proper cycle detection mechanisms. Additional mitigations include implementing query complexity analysis, setting resource limits on query processing, and monitoring for unusual query patterns that might indicate attempted exploitation of similar vulnerabilities. The patch addresses the root cause by introducing cycle detection logic that prevents the infinite recursion scenario while maintaining the intended functionality of query depth limiting.