In strawberry-graphql versions 0.288.4 to 0.315.3 the bundled GraphiQL template writes the values entered in the headers editor directly into the browser URL query string. If a user supplies a sensitive header such as an Authorization token, that value can become visible in browser history, shared links, and server, proxy, or CDN access logs after a page reload or request share. The weakness falls under information‑disclosure categories (CWE‑200, CWE‑201) and can allow an attacker or a curious user to obtain credentials or other secrets inadvertently exposed by the application.

The vulnerability affects the strawberry-graphql library for Python, specifically versions 0.288.4 through 0.315.3. The patch was released in version 0.315.4 and later releases contain the fix.

The CVSS score of 3.1 indicates a low severity risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is any user who interacts with the GraphiQL interface and inputs custom headers; the exposure occurs client‑side and is logged by upstream systems. While the impact is limited to information disclosure rather than code execution or denial of service, the leakage of tokens can lead to credential compromise if logs are accessed or shared. The risk is considered low overall, but any environment where the GraphiQL UI is exposed to end users should be evaluated for accidental information leakage.