Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport…

Strawberry GraphQL library prior to version 0.312.3 contains a denial of service vulnerability in its WebSocket subscription handlers. The vulnerability affects both graphql-transport-ws and legacy graphql-ws protocols, which fail to limit the number of active subscriptions per connection. An unauthenticated attacker can exploit this by opening a WebSocket connection and flooding it with subscribe messages, causing unlimited asyncio.Task allocation and memory growth. This leads to event loop saturation, server degradation, and potential out-of-memory crashes. The vulnerability has been patched in version 0.312.3.