CVE-2023-22477

Published: Jan 9, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

Affected (2)

Products: Mercurius Project: Mercurius

Mercurius Project

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mercurius Project Mercurius	Before 8.13.2
Mercurius Project Mercurius	From 9.0.0 to 11.5.0

Related CWEs

Uncaught Exception

An exception is thrown from a function, but it is not caught.

References (6)

https://github.com/mercurius-js/mercurius/issues/939

Source: security-advisories@github.com

ExploitIssue TrackingThird Party Advisory

https://github.com/mercurius-js/mercurius/pull/940

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/mercurius-js/mercurius/issues/939

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/mercurius-js/mercurius/pull/940

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.