Strawberry GraphQL Authentication Bypass Vulnerability in WebSocket Subscription Endpoints

An authentication bypass vulnerability has been identified in Strawberry GraphQL versions through 0.312.2, specifically on WebSocket subscription endpoints. The issue arises in the legacy graphql-ws subprotocol handler, which fails to ensure that a connection_init handshake is completed before processing start (subscription) messages. This flaw allows remote attackers to bypass the on_ws_connect authentication hook by connecting with the graphql-ws subprotocol and directly sending a start message, without initiating the required connection_init first. The vulnerability is not present in the graphql-transport-ws subprotocol, which properly manages subscription operations by waiting for a connection_acknowledged flag. However, both subprotocols are enabled by default in all framework integrations that support WebSockets, with the client selecting the subprotocol via the Sec-WebSocket-Protocol header.

Impact

Exploitation of this vulnerability allows for authentication bypass on WebSocket subscription endpoints, potentially leading to unauthorized access or actions within the application.

Remediation

Users are advised to upgrade to Strawberry GraphQL version 0.312.3 or later. Alternatively, the legacy graphql-ws subprotocol can be disabled by setting subscription_protocols=[GRAPHQL_TRANSPORT_WS_PROTOCOL] on the GraphQL view or router.