PT-2025-4385 · Unknown+2 · Strawberry Graphql+3
Jamietdavidson
·
Published
2025-01-09
·
Updated
2025-01-09
·
CVE-2025-22151
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Strawberry GraphQL versions 0.182.0 through 0.257.0
Description
A type confusion vulnerability exists in Strawberry GraphQL's relay integration, affecting multiple ORM integrations, including Django, SQLAlchemy, and Pydantic. This issue occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. When querying for a specific type using the global node field, the resolver may incorrectly return an instance of a different type mapped to the same model, potentially leading to information disclosure if the alternate type exposes sensitive fields and privilege escalation if the alternate type contains data intended for restricted access.
Recommendations
- Update to strawberry-graphql>=0.257.0 to fix the vulnerability.
- Avoid mapping multiple relay Node types to the same model as a mitigation measure.
- Implement strict access controls at the field resolution level using permissions to minimize the risk of exploitation.
- Consider using separate models for different access levels of the same data to reduce the vulnerability's impact.
- If using strawberry-graphql-django, update to strawberry-graphql-django>=0.54.0 to ensure the fix is applied.
Exploit
Fix
Type Confusion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Django
Pydantic
Sqlalchemy
Strawberry Graphql