MEDIUM 4.3
PYSEC-2026-2282
상세
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
PyPI / strawberry-graphql
최초 영향 버전:
0.288.4 수정 버전: 0.315.4 수정
pip install --upgrade 'strawberry-graphql>=0.315.4' 참고
- https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4 [ADVISORY]
- https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj [ADVISORY]
- https://github.com/strawberry-graphql/strawberry/issues/4398 [REPORT]
- https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9 [FIX]
- https://github.com/strawberry-graphql/strawberry/pull/2842 [FIX]