strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions

GHSA-hv3w-m4g2-5x77 · CVE-2026-35526 · PYSEC-2026-134

Published Apr 6, 2026 · Modified Jun 8, 2026

Description

Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection.

An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.

References

WEB https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-35526
WEB https://github.com/strawberry-graphql/strawberry/commit/0977a4e6b41b7cfe3e9d8ba84a43458a2b0c54c2
WEB https://github.com/pypa/advisory-database/tree/main/vulns/strawberry-graphql/PYSEC-2026-134.yaml
PACKAGE https://github.com/strawberry-graphql/strawberry
WEB https://github.com/strawberry-graphql/strawberry/releases/tag/0.312.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes