CVE-2026-47706 PUBLISHED

Strawberry GraphQL has a Circular Fragment Reference DOS

Assigner: GitHub_M
Reserved: 19.05.2026 Published: 04.06.2026 Updated: 04.06.2026

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	strawberry-graphql
Product	strawberry
Versions	Version >= 0.71.0, < 0.315.7 is affected

References

Problem Types

CWE-400: Uncontrolled Resource Consumption CWE
CWE-674: Uncontrolled Recursion CWE