npm package
mercurius
pkg:npm/mercurius
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30241 | — | < 16.8.0 | 16.8.0 | Mar 6, 2026 | Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscriptio | ||
| CVE-2025-64166 | — | < 16.4.0 | 16.4.0 | Mar 5, 2026 | Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as applicati | ||
| CVE-2023-22477 | — | >= 9.0.0, < 11.5.0 | 11.5.0 | Jan 9, 2023 | Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions. | ||
| CVE-2021-43801 | — | >= 8.10.0, < 8.11.2 | 8.11.2 | Dec 13, 2021 | Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercuri |
- CVE-2026-30241Mar 6, 2026affected < 16.8.0fixed 16.8.0
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscriptio
- CVE-2025-64166Mar 5, 2026affected < 16.4.0fixed 16.4.0
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as applicati
- CVE-2023-22477Jan 9, 2023affected >= 9.0.0, < 11.5.0fixed 11.5.0
Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.
- CVE-2021-43801Dec 13, 2021affected >= 8.10.0, < 8.11.2fixed 8.11.2
Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercuri