CVE-2024-47082

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions prior to 0.243.0

Description The issue concerns Strawberry GraphQL, a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support was enabled by default in all Strawberry HTTP view integrations, making them vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanisms for their servers. The Django HTTP view integration had an exemption for Django's built-in CSRF protection by default, making all Strawberry integrations vulnerable to CSRF attacks by default.

Recommendations For versions prior to 0.243.0, update to version 0.243.0 or later to resolve the issue. As a temporary workaround, consider disabling multipart file upload support in Strawberry HTTP view integrations until a patch is applied. Restrict access to the Django HTTP view integration to minimize the risk of exploitation. Avoid relying solely on Django's built-in CSRF protection for the Django HTTP view integration.