Headline
CVE-2023-22477: Uncaught Exception in mercurius when using subscriptions
Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in #940. As a workaround, users can disable subscriptions.
Moderate
mcollina published GHSA-cm8h-q92v-xcfc
Jan 8, 2023
Package
npm mercurius (npm)
Affected versions
< 11.5.0
Patched versions
>= 11.5.0
Description
Impact
Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.
Patches
This was patched in #940.
Workarounds
Disable subscriptions.
References
Reported publicly as #939.
The same problem was solved in fastify/fastify-websocket#228
Severity
CVSS base metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses
Related news
### Impact Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. ### Patches This was patched in https://github.com/mercurius-js/mercurius/pull/940. ### Workarounds Disable subscriptions. ### References Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228