python · strawberry-graphqlHeads-up
strawberry-graphql MaxAliasesLimiter bypass via FragmentSpreadNode
The MaxAliasesLimiter extension does not count aliases expanded from FragmentSpreadNode, letting attackers bypass alias limits and exhaust resources.
What changed
The MaxAliasesLimiter extension does not count aliases expanded from FragmentSpreadNode, letting attackers bypass alias limits and exhaust resources.
Who it affects
Applications using Strawberry GraphQL with MaxAliasesLimiter, particularly those accessible to untrusted users.
What to do today
Update Strawberry GraphQL to a patched version that correctly counts aliases from fragments, or add extra rate limiting and monitoring.
The trail
Collected→
Audited→
Written→
Published