CVE-2023-22477

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-22477

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22477.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-22477

Aliases

GHSA-cm8h-q92v-xcfc

Published

2023-01-09T14:12:24.837Z

Modified

2026-03-14T12:01:58.858762Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Mercurius is vulnerable to denial of service (DoS) when using subscriptions

Details

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in #940. As a workaround, users can disable subscriptions.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-248"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22477.json"
}

References

Affected packages

Git / github.com/mercurius-js/mercurius

Affected ranges

Type: GIT
Repo: https://github.com/mercurius-js/mercurius
Events: Introduced

c0c0dd394e06b645f37f0d7f99564d0dc06179bb

Fixed

7ea5e4aff90468678a7bbb6621b59e480242e19b

Affected versions

v10.*

v10.0.0

v10.1.0

v10.1.1

v10.2.0

v10.3.0

v10.4.0

v9.*

v9.0.0

v9.1.0

v9.2.0

v9.3.0

v9.3.1

v9.3.2

v9.3.3

v9.3.4

v9.3.5

v9.3.6

v9.4.0

v9.5.0

v9.7.0

v9.8.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22477.json"