CVE-2026-47706
Analyzed Analyzed - Analysis Complete
Stack Overflow in Strawberry GraphQL QueryDepthLimiter

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-47706
EUVD
EUVD-2026-34269
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
strawberry strawberry_graphql From 0.71.0 (inc) to 0.315.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Strawberry GraphQL library to version 0.315.7 or later.

Version 0.315.7 patches the vulnerability by updating the QueryDepthLimiter to properly track visited fragments and prevent infinite recursion caused by circular fragment references.

Executive Summary

The vulnerability CVE-2026-47706 affects the Strawberry GraphQL library versions 0.71.0 through 0.315.6 in the QueryDepthLimiter extension. It occurs because the extension lacks cycle detection for fragment spreads in GraphQL queries. When a query contains circular fragment references, the determine_depth function enters an infinite recursion, causing a RecursionError that crashes the validation process.

Impact Analysis

This vulnerability can cause an Application-level Denial of Service (DOS) by crashing the validation process of GraphQL queries. When a query with circular fragment references is processed, the server enters infinite recursion, exhausting CPU cycles and thread pools before query execution, which can disrupt service availability.

Detection Guidance

This vulnerability occurs when a GraphQL query contains circular fragment references causing the QueryDepthLimiter's determine_depth function to enter infinite recursion, resulting in a RecursionError and crashing the validation process.

To detect this vulnerability on your system, you can monitor for RecursionError exceptions or crashes in the Strawberry GraphQL validation process, especially during query validation.

Since the issue is triggered by queries with circular fragment spreads, you can analyze GraphQL queries for circular fragment references.

There are no specific commands provided in the resources, but you might consider:

  • Reviewing logs for RecursionError or validation crashes related to Strawberry GraphQL.
  • Using static analysis or custom scripts to detect circular fragment references in GraphQL queries.
  • Monitoring CPU usage spikes or thread pool exhaustion during query validation.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart