Moderate severityNVD Advisory· Published Jan 9, 2023· Updated Mar 10, 2025
Mercurius is vulnerable to denial of service (DoS) when using subscriptions
CVE-2023-22477
Description
Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in #940. As a workaround, users can disable subscriptions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mercuriusnpm | >= 9.0.0, < 11.5.0 | 11.5.0 |
mercuriusnpm | < 8.13.2 | 8.13.2 |
Affected products
2- mercurius-js/mercuriusv5Range: < 10.5.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-cm8h-q92v-xcfcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22477ghsaADVISORY
- github.com/fastify/fastify-websocket/pull/228ghsaWEB
- github.com/mercurius-js/mercurius/issues/939ghsax_refsource_MISCWEB
- github.com/mercurius-js/mercurius/pull/940ghsax_refsource_MISCWEB
- github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.