CVE-2024-47082 – strawberry-graphql

Package

Manager: pip
Name: strawberry-graphql
Vulnerable Version: >=0 <0.243.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00054 pctl0.16809

Details

Cross-Site Request Forgery (CSRF) in strawberry-graphql ### Impact Multipart file upload support as defined in the [GraphQL multipart request specification](https://github.com/jaydenseric/graphql-multipart-request-spec) was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to CSRF attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. ### Patches Version `v0.243.0` is the first `strawberry-graphql` including a patch. Check out our [documentation](https://strawberry.rocks/docs/breaking-changes/0.243.0) for additional details and upgrade instructions. ### References - [Strawberry upgrade guide](https://strawberry.rocks/docs/breaking-changes/0.243.0) - [Multipart Upload Security Implications](https://github.com/jaydenseric/graphql-multipart-request-spec/blob/master/readme.md#security) ### Credits - [Thomas Grainger](https://github.com/graingert) - [Arthur Bayr](https://github.com/speedy1991) - [Jonathan Ehwald](https://github.com/DoctorJohn)

Metadata

Created: 2024-09-25T18:21:19Z
Modified: 2025-01-21T18:27:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-79gp-q4wv-33fr/GHSA-79gp-q4wv-33fr.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-79gp-q4wv-33fr
Finding: F007
Auto approve: 1