GHSA-cm8h-q92v-xcfc

Suggest an improvement
Source
https://github.com/advisories/GHSA-cm8h-q92v-xcfc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-cm8h-q92v-xcfc/GHSA-cm8h-q92v-xcfc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cm8h-q92v-xcfc
Aliases
Published
2023-01-09T21:55:44Z
Modified
2023-11-08T04:11:36.112865Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
mercurius has Uncaught Exception when using subscriptions
Details

Impact

Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.

Patches

This was patched in https://github.com/mercurius-js/mercurius/pull/940. The patch was released as v11.5.0 and v8.13.2.

Workarounds

Disable subscriptions.

References

Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228

References

Affected packages

npm / mercurius

Package

Affected ranges

Type
SEMVER
Events
Introduced
9.0.0
Fixed
11.5.0

npm / mercurius

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.13.2