{ "schema_version": "1.4.0", "id": "GHSA-cm8h-q92v-xcfc", "modified": "2023-01-10T16:15:07Z", "published": "2023-01-09T21:55:44Z", "aliases": [ "CVE-2023-22477" ], "summary": "mercurius has Uncaught Exception when using subscriptions", "details": "### Impact\n\nAny users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`.\n\n### Patches\n\nThis was patched in https://github.com/mercurius-js/mercurius/pull/940.\nThe patch was released as v11.5.0 and v8.13.2.\n\n### Workarounds\n\nDisable subscriptions.\n\n### References\n\nReported publicly as https://github.com/mercurius-js/mercurius/issues/939.\nThe same problem was solved in https://github.com/fastify/fastify-websocket/pull/228\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "mercurius" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "11.5.0" } ] } ] }, { "package": { "ecosystem": "npm", "name": "mercurius" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "8.13.2" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22477" }, { "type": "WEB", "url": "https://github.com/mercurius-js/mercurius/issues/939" }, { "type": "WEB", "url": "https://github.com/fastify/fastify-websocket/pull/228" }, { "type": "WEB", "url": "https://github.com/mercurius-js/mercurius/pull/940" }, { "type": "PACKAGE", "url": "https://github.com/mercurius-js/mercurius" } ], "database_specific": { "cwe_ids": [ "CWE-248" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-01-09T21:55:44Z", "nvd_published_at": "2023-01-09T15:15:00Z" } }