Lpschroer

**Name of the Vulnerable Software and Affected Versions** Strawberry GraphQL versions 0.288.4 through 0.315.3 **Description** The bundled GraphiQL template in Strawberry GraphQL writes values from the headers editor into the browser URL query string. This occurs because the `strawberry/static/graphiql.html` template uses the `updateURL()` function within `onEditHeaders()` to serialize arbitrary header text into the `headers` parameter of the URL. Consequently, sensitive information, such as `Authorization` tokens, can be exposed in browser history, copied links, and server, proxy, or CDN access logs after a page reload or when a request is shared. This exposure is limited to the browser-based IDE and does not affect GraphQL query execution or allow direct authorization bypass. **Recommendations** Update to version 0.315.4. As a temporary workaround, disable the bundled IDE in production by setting `graphql ide=None` in the `GraphQLRouter` or other HTTP integrations. Alternatively, provide a custom GraphiQL template that does not serialize header values into the URL.