CVE-2021-43801

Published: Dec 13, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.

Affected (1)

Products: Mercurius Project: Mercurius

Mercurius Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mercurius Project Mercurius	From 8.10.0 to 8.11.2

Related CWEs

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

References (6)

https://github.com/mercurius-js/mercurius/issues/677

Source: security-advisories@github.com

Issue TrackingPatchThird Party Advisory

https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/mercurius-js/mercurius/issues/677

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.