VYPR
Moderate severityNVD Advisory· Published Jan 9, 2023· Updated Mar 10, 2025

Mercurius is vulnerable to denial of service (DoS) when using subscriptions

CVE-2023-22477

Description

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in #940. As a workaround, users can disable subscriptions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mercuriusnpm
>= 9.0.0, < 11.5.011.5.0
mercuriusnpm
< 8.13.28.13.2

Affected products

2
  • ghsa-coords
    Range: >= 9.0.0, < 11.5.0
  • mercurius-js/mercuriusv5
    Range: < 10.5.0

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.