Jun 4, 2026·5 min read·9 visits
The MaxAliasesLimiter extension in strawberry-graphql fails to account for fragment spreads during pre-execution static analysis. Attackers can bypass alias thresholds and trigger thousands of actual backend executions, leading to denial of service.
A security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.
In GraphQL architectures, the concept of aliasing allows clients to customize field names within a single payload. This feature allows multiple variants of the same field to be queried simultaneously. However, resolving thousands of aliases simultaneously consumes excessive CPU and memory on the backend engine. To mitigate this threat vector, developers use security extensions to enforce constraints on the maximum allowed aliases.
The strawberry-graphql library provides a native MaxAliasesLimiter extension designed to limit client-defined aliases. In versions prior to 0.315.7, this validation module failed to assess the impact of fragment spreads. Attackers can exploit this architectural oversight to cause application-level denial of service via uncontrolled resource consumption.
The vulnerability stems from an inconsistency between static analysis and actual execution behavior. The MaxAliasesLimiter calculates alias counts by analyzing the static syntax elements in the Abstract Syntax Tree (AST) before runtime. During this inspection, it aggregates explicitly defined aliases inside structural definitions, such as operations and fragment blocks.
The validator, however, failed to expand FragmentSpreadNode elements inline during counting. If a fragment definition containing N aliases is spread M times in an operation, the execution engine multiplies these selections to produce N x M alias resolutions.
Because the validator calculated the aliases statically and independently within each distinct AST definition node, it did not model this multiplicative expansion. The static validation path evaluated the fragment definition once and the operation once, registering a linear total of N + M instead of N x M. This difference allows an attacker to bypass arbitrary alias thresholds.
Prior to the release of 0.315.7, the implementation of count_fields_with_alias in strawberry/extensions/max_aliases.py was structurally limited. The function analyzed selection_set_owner elements without any visibility into the broader Document definitions. It could not resolve FragmentSpreadNode occurrences back to their associated fragment contents.
# Vulnerable implementation in strawberry/extensions/max_aliases.py
for selection in selection_set_owner.selection_set.selections:
if isinstance(selection, FieldNode) and selection.alias:
result += 1
if isinstance(selection, (FieldNode, InlineFragmentNode)):
result += count_fields_with_alias(selection)The patch introduces a dictionary mapping fragment names to their corresponding definitions within the validator initialization. The revised count_fields_with_alias function takes this lookup map along with a visited_fragments tracker to safely recurse into spread fragments.
# Patched implementation in strawberry/extensions/max_aliases.py
if isinstance(selection, FragmentSpreadNode) and fragments:
fragment_name = selection.name.value
fragment = fragments.get(fragment_name)
if fragment is None or fragment_name in visited_fragments:
continue
result += count_fields_with_alias(
fragment,
fragments,
visited_fragments | {fragment_name},
)Additionally, the patch applies similar visited-fragment state tracking to the query depth evaluation engine in strawberry/extensions/query_depth_limiter.py. This change ensures that cycle validation prevents infinite loops from crashing the validation layer during the resolution of deeply nested fragment loops.
To demonstrate the exploitation vector, a security researcher can construct an operational bypass of a low alias limit. Consider a target backend configuring the MaxAliasesLimiter with a maximum limit of twenty total aliases. An attacker can define a single fragment containing ten distinct aliased fields on a target type.
The attacker then queries a single entity ten times inside a single operational selection set, spreading the defined fragment in each invocation.
fragment Amplification on User {
a1: name, a2: name, a3: name, a4: name, a5: name,
a6: name, a7: name, a8: name, a9: name, a10: name
}
query Bypass {
u1: user { ...Amplification }
u2: user { ...Amplification }
u3: user { ...Amplification }
u4: user { ...Amplification }
u5: user { ...Amplification }
u6: user { ...Amplification }
u7: user { ...Amplification }
u8: user { ...Amplification }
u9: user { ...Amplification }
u10: user { ...Amplification }
}At evaluation time, the static analyzer registers the ten aliases in the fragment definition and the ten selection fields in the operation. This registers a calculated sum of twenty aliases, which exactly matches the threshold.
When executed, the engine expands the ten fragment fields across the ten operation fields, yielding 110 alias resolutions. This execution completely bypasses the configured security policy.
Although the official patch resolves the primary alias amplification bypass, security reviewers must consider remaining architectural edge cases. Specifically, count_fields_with_alias executes recursively using Python's native runtime call stack. A deeply nested, non-cyclic chain of fragment spreads could theoretically trigger a native RecursionError if it exceeds the default system recursion limit.
Furthermore, because the cycle prevention tracker uses an active execution branch state (visited_fragments | {fragment_name}), a non-cyclic Directed Acyclic Graph (DAG) can still bypass validation-phase loop protections. An attacker can structure exponential layout patterns known as "GraphQL Billion Laughs" structures.
For example, defining twenty-five layers of nested binary fragments will scale validation logic to over thirty-three million operations. This causes the Python process to hang indefinitely on the synchronous validation thread, achieving CPU exhaustion.
To remediate this vulnerability, system administrators must immediately upgrade strawberry-graphql deployments to version 0.315.7 or higher. The patch updates both alias calculation paths and depth evaluation rules to prevent unconstrained amplification attacks.
Where immediate upgrades are not feasible, organizations can temporarily disable the MaxAliasesLimiter extension. To compensate, developers should implement alternate GraphQL document structural checks. Deploying specialized application firewalls or utilizing standard schema complexity validation rules from alternative libraries is highly recommended.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L| Product | Affected Versions | Fixed Version |
|---|---|---|
strawberry-graphql Strawberry GraphQL | >= 0.172.0, < 0.315.7 | 0.315.7 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-400 (Uncontrolled Resource Consumption) |
| Attack Vector | Network (AV:N) |
| CVSS v3.1 | 5.3 (Medium) |
| Exploit Status | Proof-of-Concept Available |
| KEV Status | Not Listed |
| Primary Impact | Availability (Application-level Denial of Service) |
The software does not properly control the allocation and maintenance of a limited resource, enabling an actor to cause resource exhaustion.
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.