{"id":"CVE-2026-47707","summary":"Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification","details":"Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a  dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.","aliases":["GHSA-fr49-mhgj-crfc"],"modified":"2026-07-08T08:13:37.476694653Z","published":"2026-06-04T14:12:49.083Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-400"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47707.json"},"references":[{"type":"WEB","url":"https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47707.json"},{"type":"ADVISORY","url":"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47707"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/strawberry-graphql/strawberry","events":[{"introduced":"f24b64870b142211bab0fb230e8f7bfda150c632"},{"fixed":"a69221fb0b86583ceb5755758b294c8319021fd1"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:strawberry:strawberry_graphql:*:*:*:*:*:python:*:*","extracted_events":[{"introduced":"0.172.0"},{"fixed":"0.315.7"}]}}],"versions":["0.315.6","0.315.5","0.315.4","0.315.3","0.315.2","0.315.1","0.315.0","0.314.3","0.314.2","0.314.1","0.314.0","0.313.0","0.312.4","0.312.3","0.312.2","0.312.1","0.312.0","0.311.3","0.311.2","0.311.1","0.311.0","0.310.2","0.310.1","0.310.0","0.309.0","0.308.3","0.308.2","0.308.1","0.308.0","0.307.1","0.307.0","0.289.0","0.306.0","0.305.0","0.304.0","0.303.1","0.303.0","0.302.0","0.301.0","0.300.0","0.299.0","0.298.1","0.298.0","0.297.0","0.296.2","0.296.1","0.296.0","0.295.0","0.294.0","0.293.0","0.292.0","0.291.3","0.291.2","0.291.1","0.291.0","0.290.0","0.289.8","0.289.7","0.289.6","0.289.5","0.289.4","0.289.3","0.289.2","0.289.1","0.288.4","0.288.3","0.288.2","0.288.1","0.288.0","0.287.4","0.287.2","0.287.3","0.287.1","0.287.0","0.286.1","0.286.0","0.285.0","0.284.4","0.284.3","0.284.2","0.284.1","0.284.0","0.283.3","0.283.2","0.283.1","0.283.0","0.282.0","0.281.0","0.280.0","0.279.0","0.278.1","0.278.0","0.277.1","0.277.0","0.276.2","0.276.1","0.276.0","0.275.7","0.275.6","0.275.5","0.275.4","0.275.3","0.275.2","0.275.1","0.275.0","0.274.3","0.274.2","0.274.1","0.274.0","0.273.3","0.273.2","0.273.1","0.273.0","0.272.1","0.272.0","0.271.2","0.271.1","0.271.0","0.270.6","0.270.5","0.270.4","0.270.3","0.270.2","0.270.1","0.270.0","0.269.0","0.268.2","0.268.1","0.268.0","0.267.0","0.266.1","0.266.0","0.265.1","0.265.0","0.264.1","0.264.0","0.263.2","0.263.1","0.263.0","0.262.6","0.262.5","0.262.4","0.262.3","0.262.2","0.262.1","0.262.0","0.261.1","0.261.0","0.260.4","0.260.3","0.260.2","0.260.1","0.260.0","0.259.1","0.259.0","0.258.1","0.258.0","0.257.0","0.256.1","0.256.0","0.254.1","0.255.0","0.254.0","0.253.1","0.253.0","0.252.0","0.251.0","0.250.1","0.250.0","0.249.0","0.248.1","0.248.0","0.247.2","0.247.1","0.247.0","0.246.3","0.246.2","0.246.1","0.246.0","0.245.0","0.244.1","0.244.0","0.243.1","0.243.0","0.242.0","0.241.0","0.240.4","0.240.3","0.240.2","0.240.1","0.240.0","0.239.2","0.239.1","0.239.0","0.238.1","0.238.0","0.237.3","0.237.2","0.237.1","0.237.0","0.236.2","0.236.1","0.236.0","0.235.2","0.235.1","0.235.0","0.234.3","0.234.2","0.234.1","0.234.0","0.233.3","0.233.2","0.233.1","0.233.0","0.232.2","0.232.1","0.232.0","0.231.1","0.231.0","0.230.0","0.229.2","0.229.1","0.229.0","0.228.0","0.227.7","0.227.6","0.227.5","0.227.4","0.227.3","0.227.2","0.227.1","0.227.0","0.226.2","0.226.1","0.226.0","0.225.1","0.225.0","0.224.2","0.224.1","0.224.0","0.223.0","0.222.0","0.221.1","0.221.0","0.220.0","0.219.2","0.219.1","0.219.0","0.218.1","0.218.0","0.217.1","0.217.0","0.216.1","0.216.0","0.215.3","0.215.2","0.215.1","0.215.0","0.214.0","0.213.0","0.212.0","0.211.2","0.211.1","0.211.0","0.210.0","0.209.8","0.209.7","0.209.6","0.209.5","0.209.4","0.209.3","0.209.2","0.209.1","0.209.0","0.208.3","0.208.2","0.208.1","0.208.0","0.207.1","0.207.0","0.206.0","0.205.0","0.204.0","0.203.3","0.203.2","0.203.1","0.203.0","0.202.1","0.202.0","0.201.1","0.201.0","0.200.0","0.199.3","0.199.2","0.199.1","0.199.0","0.198.0","0.197.0","0.196.2","0.196.1","0.196.0","0.195.3","0.195.2","0.195.1","0.195.0","0.194.4","0.194.3","0.194.2","0.194.1","0.194.0","0.193.1","0.193.0","0.192.2","0.192.1","0.192.0","0.191.0","0.190.0","0.189.3","0.189.2","0.189.1","0.189.0","0.188.0","0.187.5","0.187.4","0.187.3","0.187.2","0.187.1","0.187.0","0.186.3","0.186.2","0.186.1","0.186.0","0.185.2","0.185.1","0.185.0","0.184.1","0.184.0","0.183.8","0.183.7","0.183.6","0.183.5","0.183.4","0.183.3","0.183.2","0.183.1","0.183.0","0.182.0","0.181.0","0.180.5","0.180.4","0.180.3","0.180.2","0.180.1","0.180.0","0.179.0","0.178.3","0.178.2","0.178.1","0.178.0","0.177.3","0.177.2","0.177.1","0.177.0","0.176.4","0.176.3","0.176.2","0.176.1","0.176.0","0.175.1","0.175.0","0.174.0","0.173.1","0.173.0","0.172.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47707.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}