Description
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in Strawberry GraphQL’s WebSocket subscription handling, where each subscription message creates a new asyncio.Task and an Operation object without any cap on concurrent tasks. This unbounded allocation leads to linear memory growth and event loop saturation, eventually causing the server to degrade, become unresponsive, or crash with an out‑of‑memory condition. The weakness matches CWE‑770, reflecting an uncontrolled resource consumption flaw.

Affected Systems

The affected product is the Strawberry GraphQL library, used to build GraphQL APIs, when used in versions prior to 0.312.3. Users of the library in any environment—be it web, mobile, or microservice—are potentially impacted if they rely on the default WebSocket subscription implementation.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. No EPSS score is available, and the vulnerability has not been listed in the CISA KEV catalog. The attack can be carried out by an unauthenticated adversary who opens a single WebSocket connection, sends connection_init, and floods the server with subscribe messages carrying unique IDs. Because each message spawns a new asynchronous generator, the server’s memory continues to increase, eventually exhausting resources and leading to a denial of service. The absence of a limiting mechanism makes exploitation straightforward and highly likely when the vulnerable version is in use.

Generated by OpenCVE AI on April 7, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Strawberry GraphQL to version 0.312.3 or later
  • Monitor WebSocket connection usage for abnormal subscription rates

Generated by OpenCVE AI on April 7, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hv3w-m4g2-5x77 strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions
History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Strawberry strawberry Graphql
CPEs cpe:2.3:a:strawberry:strawberry_graphql:*:*:*:*:*:python:*:*
Vendors & Products Strawberry strawberry Graphql

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Strawberry
Strawberry strawberry
Vendors & Products Strawberry
Strawberry strawberry

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.
Title Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Strawberry Strawberry Strawberry Graphql
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:55:58.026Z

Reserved: 2026-04-03T02:15:39.281Z

Link: CVE-2026-35526

cve-icon Vulnrichment

Updated: 2026-04-08T14:55:51.844Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T16:16:28.843

Modified: 2026-04-17T20:37:10.447

Link: CVE-2026-35526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:12Z

Weaknesses