VYPR

npm package

mercurius

pkg:npm/mercurius

Vulnerabilities (4)

  • CVE-2026-30241Mar 6, 2026
    affected < 16.8.0fixed 16.8.0

    Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscriptio

  • CVE-2025-64166Mar 5, 2026
    affected < 16.4.0fixed 16.4.0

    Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as applicati

  • CVE-2023-22477Jan 9, 2023
    affected >= 9.0.0, < 11.5.0fixed 11.5.0

    Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

  • CVE-2021-43801Dec 13, 2021
    affected >= 8.10.0, < 8.11.2fixed 8.11.2

    Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercuri