CVE-2023-22477 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-22477

CVE-2023-22477

January 09, 2023

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions. The patch was released as v11.5.0 and v8.13.2.

Affected Packages

mercurius (NPM):

Affected version(s) >=0.0.1 <8.13.2

Fix Suggestion:

Update to version 8.13.2

mercurius (NPM):

Affected version(s) >=9.0.0 <11.5.0

Fix Suggestion:

Update to version 11.5.0

Related Resources (7)

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc

https://github.com/fastify/fastify-websocket/pull/228

https://nvd.nist.gov/vuln/detail/CVE-2023-22477

https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22477.json

https://github.com/mercurius-js/mercurius/issues/939

https://github.com/mercurius-js/mercurius/pull/940

https://github.com/mercurius-js/mercurius

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

NONE

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Weakness Type (CWE)

Uncaught Exception

CWE-248

EPSS

Base Score:

0.25

Products

Solutions

Resources

Company

Compare

Developer Tools