CVE-2026-47706
Stack Overflow in Strawberry GraphQL QueryDepthLimiter
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| strawberry_graphql | strawberry_graphql | From 0.71.0 (inc) to 0.315.6 (inc) |
| strawberry_graphql | strawberry_graphql | 0.315.7 |
| strawberry_graphql | strawberry_graphql | From 0.71.0 (inc) to 0.315.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the Strawberry GraphQL library to version 0.315.7 or later.
Version 0.315.7 patches the vulnerability by updating the QueryDepthLimiter to properly track visited fragments and prevent infinite recursion caused by circular fragment references.
Can you explain this vulnerability to me?
The vulnerability CVE-2026-47706 affects the Strawberry GraphQL library versions 0.71.0 through 0.315.6 in the QueryDepthLimiter extension. It occurs because the extension lacks cycle detection for fragment spreads in GraphQL queries. When a query contains circular fragment references, the determine_depth function enters an infinite recursion, causing a RecursionError that crashes the validation process.
How can this vulnerability impact me? :
This vulnerability can cause an Application-level Denial of Service (DOS) by crashing the validation process of GraphQL queries. When a query with circular fragment references is processed, the server enters infinite recursion, exhausting CPU cycles and thread pools before query execution, which can disrupt service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when a GraphQL query contains circular fragment references causing the QueryDepthLimiter's determine_depth function to enter infinite recursion, resulting in a RecursionError and crashing the validation process.
To detect this vulnerability on your system, you can monitor for RecursionError exceptions or crashes in the Strawberry GraphQL validation process, especially during query validation.
Since the issue is triggered by queries with circular fragment spreads, you can analyze GraphQL queries for circular fragment references.
There are no specific commands provided in the resources, but you might consider:
- Reviewing logs for RecursionError or validation crashes related to Strawberry GraphQL.
- Using static analysis or custom scripts to detect circular fragment references in GraphQL queries.
- Monitoring CPU usage spikes or thread pool exhaustion during query validation.