Gonas0919

**Name of the Vulnerable Software and Affected Versions** Strawberry GraphQL versions 0.71.0 through 0.315.6 **Description** The QueryDepthLimiter extension is susceptible to an application-level Denial of Service (DoS). This occurs because the `determine depth()` function in `query depth limiter.py` lacks cycle detection when resolving fragment spreads. If a query contains circular fragment references, the function enters an infinite recursion, resulting in a `RecursionError` that crashes the validation process. This allows an attacker to exhaust server CPU cycles and thread or worker pools since validation occurs before query execution. **Recommendations** Update to version 0.315.7.

**Name of the Vulnerable Software and Affected Versions** Strawberry GraphQL versions 0.172.0 through 0.315.6 **Description** The MaxAliasesLimiter extension fails to account for the multiplicative effect of `FragmentSpreadNode`. While static aliases within the Abstract Syntax Tree (AST) are counted, the system does not consider how many times internal aliases of a fragment are expanded during execution. This allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than permitted, potentially leading to a denial of service (DoS) via resource exhaustion of CPU and memory. **Recommendations** Update to version 0.315.7.

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description AIOHTTP, an asynchronous HTTP client/server framework, is susceptible to excessive memory usage due to an unbounded DNS cache. This can potentially lead to a Denial of Service (DoS) situation if an application makes requests to a large number of hosts, causing the DNS cache to grow continuously. Recommendations Update to version 3.13.4 or later.