logo

Database

Asymmetric denial of service In mercurius

Description

mercurius has Uncaught Exception when using subscriptions

Impact

Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.

Patches

This was patched in https://github.com/mercurius-js/mercurius/pull/940. The patch was released as v11.5.0 and v8.13.2.

Workarounds

Disable subscriptions.

References

Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-224772. NVD-2023-224773. OSV-2023-224774. GHSA-cm8h-q92v-xcfc5. GCVE-2023-22477

References

1. https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc2. https://github.com/mercurius-js/mercurius/issues/9393. https://github.com/fastify/fastify-websocket/pull/2284. https://github.com/mercurius-js/mercurius/pull/940

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.