CVE-2025-22151

EPSS 0.18%
Veröffentlicht 09.01.2025 19:15:20
Zuletzt bearbeitet 09.01.2025 19:15:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to information disclosure if the alternate type exposes sensitive fields and potential privilege escalation if the alternate type contains data intended for restricted access. This vulnerability is fixed in 0.257.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerstrawberry-graphql

≫

Produkt strawberry

Version >= 0.182.0, < 0.257.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.394

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://github.com/strawberry-graphql/strawberry/commit/526eb82b70451c0e59d5a71ae9b7396f59974bd8

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-5xh2-23cc-5jc6

https://nvd.nist.gov/vuln/detail/CVE-2025-22151

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-22151

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-22151

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-22151