Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-22151

Good to know:

icon
icon

Date: January 9, 2025

Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to information disclosure if the alternate type exposes sensitive fields and potential privilege escalation if the alternate type contains data intended for restricted access. This vulnerability is fixed in 0.257.0.

Severity Score

Related Resources (5)

https://github.com/strawberry-graphql/strawberry/commit/526eb82b70451c0e59d5a71ae9b7396f59974bd8
https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-5xh2-23cc-5jc6
https://github.com/strawberry-graphql/strawberry
https://nvd.nist.gov/vuln/detail/CVE-2025-22151
https://www.mend.io/vulnerability-database/CVE-2025-22151

Severity Score

Weakness Type (CWE)

Insufficient Type Distinction

CWE-351

Access of Resource Using Incompatible Type ('Type Confusion')

CWE-843

Top Fix

icon

Upgrade Version

Upgrade to version strawberry-graphql - 0.213.0;strawberry-graphql - 0.208.1;strawberry-graphql - 0.192.1;strawberry-graphql - 0.196.2;strawberry-graphql - 0.222.0;strawberry-graphql - 0.194.4;strawberry-graphql - 0.231.1;strawberry-graphql - 0.248.0;strawberry-graphql - 0.227.2;strawberry-graphql - 0.251.0;strawberry-graphql - 0.193.0;strawberry-graphql - 0.218.0;strawberry-graphql - 0.214.0;strawberry-graphql - 0.210.0;strawberry-graphql - 0.234.0;strawberry-graphql - 0.227.2;strawberry-graphql - 0.203.1;strawberry-graphql - 0.240.3;strawberry-graphql - 0.239.1;strawberry-graphql - 0.209.6;strawberry-graphql - 0.195.1;strawberry-graphql - 0.215.3;strawberry-graphql - 0.213.0;strawberry-graphql - 0.240.1;strawberry-graphql - 0.224.2;strawberry-graphql - 0.228.0;strawberry-graphql - 0.183.2;strawberry-graphql - 0.246.3;strawberry-graphql - 0.217.0;strawberry-graphql - 0.185.1;strawberry-graphql - 0.187.4;strawberry-graphql - 0.199.2;strawberry-graphql - 0.207.1;strawberry-graphql - 0.237.2;strawberry-graphql - 0.202.1;strawberry-graphql - 0.183.6;strawberry-graphql - 0.196.2;strawberry-graphql - 0.189.1;strawberry-graphql - 0.226.0;strawberry-graphql - 0.246.1;strawberry-graphql - 0.220.0;strawberry-graphql - 0.187.0;strawberry-graphql - 0.245.0;strawberry-graphql - 0.201.0;strawberry-graphql - 0.186.2;strawberry-graphql - 0.229.2;strawberry-graphql - 0.243.0;strawberry-graphql - 0.189.3;strawberry-graphql - 0.255.0;strawberry-graphql - 0.257.0;strawberry-graphql - 0.194.2;strawberry-graphql - 0.209.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us