The Strawberry GraphQL project reports:
Strawberry up until version 0.312.3 is vulnerable to an authentication bypass
on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler
does not verify that a 'connection_init' handshake has been completed before
processing start (subscription) messages. This allows a remote attacker to skip
the 'on_ws_connect' authentication hook entirely by connecting with the
graphql-ws subprotocol and sending a start message directly, without ever
sending 'connection_init'.
The graphql-transport-ws subprotocol handler is not affected, as it correctly
gates subscription operations on a connection_acknowledged flag. However, both
subprotocols are enabled by default in all framework integrations that support
websockets, and the subprotocol is selected by the client via the
Sec-WebSocket-Protocol header.
Any application relying on 'on_ws_connect' for authentication or authorization
is affected.
Strawberry GraphQL's WebSocket subscription handlers for both the
'graphql-transport-ws' and legacy 'graphql-ws' protocols allocate an
asyncio.Task and associated Operation object for every incoming subscribe
message without enforcing any limit on the number of active subscriptions per
connection.
An unauthenticated attacker can open a single WebSocket connection, send
connection_init, and then flood subscribe messages with unique IDs. Each
message unconditionally spawns a new 'asyncio.Task' and async generator,
causing linear memory growth and event loop saturation. This leads to server
degradation or an OOM crash.