Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cm8h-q92v-xcfc: mercurius has Uncaught Exception when using subscriptions

Impact

Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.

Patches

This was patched in https://github.com/mercurius-js/mercurius/pull/940.

Workarounds

Disable subscriptions.

References

Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228

ghsa
Open in Source
#web#dos#js#git

mercurius has Uncaught Exception when using subscriptions

Moderate severity GitHub Reviewed Published Jan 9, 2023 in mercurius-js/mercurius • Updated Jan 9, 2023

Related news

CVE-2023-22477: Uncaught Exception in mercurius when using subscriptions

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP
ghsa