FreshPorts - VuXML

The Strawberry GraphQL project reports:

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a 'connection_init' handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the 'on_ws_connect' authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending 'connection_init'. The graphql-transport-ws subprotocol handler is not affected, as it correctly gates subscription operations on a connection_acknowledged flag. However, both subprotocols are enabled by default in all framework integrations that support websockets, and the subprotocol is selected by the client via the Sec-WebSocket-Protocol header. Any application relying on 'on_ws_connect' for authentication or authorization is affected.

Strawberry GraphQL's WebSocket subscription handlers for both the 'graphql-transport-ws' and legacy 'graphql-ws' protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new 'asyncio.Task' and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.

< 0.312.3

< 0.312.3