GHSA-cm8h-q92v-xcfc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cm8h-q92v-xcfc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-cm8h-q92v-xcfc/GHSA-cm8h-q92v-xcfc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cm8h-q92v-xcfc
- Aliases
- Published
- 2023-01-09T21:55:44Z
- Modified
- 2023-11-08T04:11:36.112865Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- mercurius has Uncaught Exception when using subscriptions
- Details
-
Impact
Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to
/graphql.Patches
This was patched in https://github.com/mercurius-js/mercurius/pull/940. The patch was released as v11.5.0 and v8.13.2.
Workarounds
Disable subscriptions.
References
Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228
- Database specific
{ "nvd_published_at": "2023-01-09T15:15:00Z", "severity": "MODERATE", "cwe_ids": [ "CWE-248" ], "github_reviewed": true, "github_reviewed_at": "2023-01-09T21:55:44Z" }- References
-
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc
- https://nvd.nist.gov/vuln/detail/CVE-2023-22477
- https://github.com/mercurius-js/mercurius/issues/939
- https://github.com/fastify/fastify-websocket/pull/228
- https://github.com/mercurius-js/mercurius/pull/940
- https://github.com/mercurius-js/mercurius
Affected packages
npm / mercurius
Package
- Name
- mercurius
- View open source insights on deps.dev
- Purl
- pkg:npm/mercurius
npm / mercurius
Package
- Name
- mercurius
- View open source insights on deps.dev
- Purl
- pkg:npm/mercurius