CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-47707

CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter

Amit Schendel
Amit Schendel
Senior Security Researcher

Jun 4, 2026·5 min read·9 visits

Executive Summary (TL;DR)

The MaxAliasesLimiter extension in strawberry-graphql fails to account for fragment spreads during pre-execution static analysis. Attackers can bypass alias thresholds and trigger thousands of actual backend executions, leading to denial of service.

A security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.

Vulnerability Overview

In GraphQL architectures, the concept of aliasing allows clients to customize field names within a single payload. This feature allows multiple variants of the same field to be queried simultaneously. However, resolving thousands of aliases simultaneously consumes excessive CPU and memory on the backend engine. To mitigate this threat vector, developers use security extensions to enforce constraints on the maximum allowed aliases.

The strawberry-graphql library provides a native MaxAliasesLimiter extension designed to limit client-defined aliases. In versions prior to 0.315.7, this validation module failed to assess the impact of fragment spreads. Attackers can exploit this architectural oversight to cause application-level denial of service via uncontrolled resource consumption.

Root Cause Analysis

The vulnerability stems from an inconsistency between static analysis and actual execution behavior. The MaxAliasesLimiter calculates alias counts by analyzing the static syntax elements in the Abstract Syntax Tree (AST) before runtime. During this inspection, it aggregates explicitly defined aliases inside structural definitions, such as operations and fragment blocks.

The validator, however, failed to expand FragmentSpreadNode elements inline during counting. If a fragment definition containing N aliases is spread M times in an operation, the execution engine multiplies these selections to produce N x M alias resolutions.

Because the validator calculated the aliases statically and independently within each distinct AST definition node, it did not model this multiplicative expansion. The static validation path evaluated the fragment definition once and the operation once, registering a linear total of N + M instead of N x M. This difference allows an attacker to bypass arbitrary alias thresholds.

Code Analysis

Prior to the release of 0.315.7, the implementation of count_fields_with_alias in strawberry/extensions/max_aliases.py was structurally limited. The function analyzed selection_set_owner elements without any visibility into the broader Document definitions. It could not resolve FragmentSpreadNode occurrences back to their associated fragment contents.

# Vulnerable implementation in strawberry/extensions/max_aliases.py
for selection in selection_set_owner.selection_set.selections:
    if isinstance(selection, FieldNode) and selection.alias:
        result += 1
 
    if isinstance(selection, (FieldNode, InlineFragmentNode)):
        result += count_fields_with_alias(selection)

The patch introduces a dictionary mapping fragment names to their corresponding definitions within the validator initialization. The revised count_fields_with_alias function takes this lookup map along with a visited_fragments tracker to safely recurse into spread fragments.

# Patched implementation in strawberry/extensions/max_aliases.py
if isinstance(selection, FragmentSpreadNode) and fragments:
    fragment_name = selection.name.value
    fragment = fragments.get(fragment_name)
    if fragment is None or fragment_name in visited_fragments:
        continue
 
    result += count_fields_with_alias(
        fragment,
        fragments,
        visited_fragments | {fragment_name},
    )

Additionally, the patch applies similar visited-fragment state tracking to the query depth evaluation engine in strawberry/extensions/query_depth_limiter.py. This change ensures that cycle validation prevents infinite loops from crashing the validation layer during the resolution of deeply nested fragment loops.

Exploitation

To demonstrate the exploitation vector, a security researcher can construct an operational bypass of a low alias limit. Consider a target backend configuring the MaxAliasesLimiter with a maximum limit of twenty total aliases. An attacker can define a single fragment containing ten distinct aliased fields on a target type.

The attacker then queries a single entity ten times inside a single operational selection set, spreading the defined fragment in each invocation.

fragment Amplification on User {
    a1: name, a2: name, a3: name, a4: name, a5: name,
    a6: name, a7: name, a8: name, a9: name, a10: name
}
query Bypass {
    u1: user { ...Amplification }
    u2: user { ...Amplification }
    u3: user { ...Amplification }
    u4: user { ...Amplification }
    u5: user { ...Amplification }
    u6: user { ...Amplification }
    u7: user { ...Amplification }
    u8: user { ...Amplification }
    u9: user { ...Amplification }
    u10: user { ...Amplification }
}

At evaluation time, the static analyzer registers the ten aliases in the fragment definition and the ten selection fields in the operation. This registers a calculated sum of twenty aliases, which exactly matches the threshold.

When executed, the engine expands the ten fragment fields across the ten operation fields, yielding 110 alias resolutions. This execution completely bypasses the configured security policy.

Post-Patch & Re-exploitation Analysis

Although the official patch resolves the primary alias amplification bypass, security reviewers must consider remaining architectural edge cases. Specifically, count_fields_with_alias executes recursively using Python's native runtime call stack. A deeply nested, non-cyclic chain of fragment spreads could theoretically trigger a native RecursionError if it exceeds the default system recursion limit.

Furthermore, because the cycle prevention tracker uses an active execution branch state (visited_fragments | {fragment_name}), a non-cyclic Directed Acyclic Graph (DAG) can still bypass validation-phase loop protections. An attacker can structure exponential layout patterns known as "GraphQL Billion Laughs" structures.

For example, defining twenty-five layers of nested binary fragments will scale validation logic to over thirty-three million operations. This causes the Python process to hang indefinitely on the synchronous validation thread, achieving CPU exhaustion.

Remediation & Mitigations

To remediate this vulnerability, system administrators must immediately upgrade strawberry-graphql deployments to version 0.315.7 or higher. The patch updates both alias calculation paths and depth evaluation rules to prevent unconstrained amplification attacks.

Where immediate upgrades are not feasible, organizations can temporarily disable the MaxAliasesLimiter extension. To compensate, developers should implement alternate GraphQL document structural checks. Deploying specialized application firewalls or utilizing standard schema complexity validation rules from alternative libraries is highly recommended.

Official Patches

Strawberry GraphQLOfficial patch fixing fragment expansion and tracking visited fragments during alias counting.

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Systems

strawberry-graphql

Affected Versions Detail

Product
Affected Versions
Fixed Version
strawberry-graphql
Strawberry GraphQL
>= 0.172.0, < 0.315.70.315.7
AttributeDetail
CWE IDCWE-400 (Uncontrolled Resource Consumption)
Attack VectorNetwork (AV:N)
CVSS v3.15.3 (Medium)
Exploit StatusProof-of-Concept Available
KEV StatusNot Listed
Primary ImpactAvailability (Application-level Denial of Service)

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
CWE-400
Uncontrolled Resource Consumption

The software does not properly control the allocation and maintenance of a limited resource, enabling an actor to cause resource exhaustion.

Known Exploits & Detection

GitHub Security Advisory ResearchA proof of concept demonstrates that nested alias configurations bypass the default configured MaxAliasesLimiter limits.

Vulnerability Timeline

Security patch commit a69221fb0b86583ceb5755758b294c8319021fd1 is developed and merged.
2026-05-19
Strawberry version 0.315.7 containing the fix is released.
2026-05-19
Authoritative advisory GHSA-fr49-mhgj-crfc is published.
2026-06-04
CVE-2026-47707 is officially allocated and published to the NVD.
2026-06-04

References & Sources

  • [1]GHSA-fr49-mhgj-crfc Advisory
  • [2]Strawberry GraphQL Version 0.315.7 Release Notes
  • [3]CVE-2026-47707 CVE Record
  • [4]Patch Commit a69221f

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 11 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 12 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 13 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 14 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 15 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 16 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read