CVE-2026-47706: CWE-400: Uncontrolled Resource Consumption in strawberry-graphql strawberry
CVE-2026-47706 is a medium severity vulnerability in the strawberry-graphql library versions 0. 71. 0 through 0. 315. 6. The QueryDepthLimiter extension lacks cycle detection in fragment spreads, causing infinite recursion when queries contain circular fragment references. This results in a RecursionError that crashes the validation process, leading to an application-level denial of service. The issue is fixed in version 0. 315. 7.
AI Analysis
Technical Summary
Strawberry GraphQL's QueryDepthLimiter extension in versions from 0.71.0 up to but not including 0.315.7 does not detect cycles in fragment spreads within GraphQL queries. When a query includes circular fragment references, the determine_depth function enters infinite recursion, causing a RecursionError and crashing the validation process. This uncontrolled resource consumption leads to an application-level denial of service. The vulnerability is addressed in version 0.315.7.
Potential Impact
An attacker can craft GraphQL queries with circular fragment references that cause infinite recursion during query validation, resulting in a RecursionError and crashing the application process. This leads to denial of service without impacting confidentiality or integrity.
Mitigation Recommendations
Upgrade strawberry-graphql to version 0.315.7 or later, where this vulnerability is patched. Patch status is confirmed by the version fix information. No additional mitigations are indicated.
CVE-2026-47706: CWE-400: Uncontrolled Resource Consumption in strawberry-graphql strawberry
Description
CVE-2026-47706 is a medium severity vulnerability in the strawberry-graphql library versions 0. 71. 0 through 0. 315. 6. The QueryDepthLimiter extension lacks cycle detection in fragment spreads, causing infinite recursion when queries contain circular fragment references. This results in a RecursionError that crashes the validation process, leading to an application-level denial of service. The issue is fixed in version 0. 315. 7.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Strawberry GraphQL's QueryDepthLimiter extension in versions from 0.71.0 up to but not including 0.315.7 does not detect cycles in fragment spreads within GraphQL queries. When a query includes circular fragment references, the determine_depth function enters infinite recursion, causing a RecursionError and crashing the validation process. This uncontrolled resource consumption leads to an application-level denial of service. The vulnerability is addressed in version 0.315.7.
Potential Impact
An attacker can craft GraphQL queries with circular fragment references that cause infinite recursion during query validation, resulting in a RecursionError and crashing the application process. This leads to denial of service without impacting confidentiality or integrity.
Mitigation Recommendations
Upgrade strawberry-graphql to version 0.315.7 or later, where this vulnerability is patched. Patch status is confirmed by the version fix information. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T21:18:20.404Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a218ccee29bf47b50ad1bba
Added to database: 6/4/2026, 2:33:50 PM
Last enriched: 6/4/2026, 2:48:34 PM
Last updated: 6/4/2026, 4:00:45 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.