Vulnerability Description
Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mercurius Project | Mercurius | < 8.13.2 |
Related Weaknesses (CWE)
References
- https://github.com/mercurius-js/mercurius/issues/939ExploitIssue TrackingThird Party Advisory
- https://github.com/mercurius-js/mercurius/pull/940PatchThird Party Advisory
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfPatchThird Party Advisory
- https://github.com/mercurius-js/mercurius/issues/939ExploitIssue TrackingThird Party Advisory
- https://github.com/mercurius-js/mercurius/pull/940PatchThird Party Advisory
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfPatchThird Party Advisory
FAQ
What is CVE-2023-22477?
CVE-2023-22477 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This iss...
How severe is CVE-2023-22477?
CVE-2023-22477 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-22477?
Check the references section above for vendor advisories and patch information. Affected products include: Mercurius Project Mercurius.