CVE-2026-47707: Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification

June 4, 2026 (updated June 9, 2026)

The MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion.

References

github.com/advisories/GHSA-fr49-mhgj-crfc
github.com/strawberry-graphql/strawberry/releases/tag/0.315.7
github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc
nvd.nist.gov/vuln/detail/CVE-2026-47707

Code Behaviors & Features

Detect and mitigate CVE-2026-47707 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →