{"id":"CVE-2021-43801","details":"Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.","aliases":["GHSA-273r-rm8g-7f3x"],"modified":"2026-03-15T22:42:14.188816Z","published":"2021-12-13T20:15:07.577Z","related":["GHSA-273r-rm8g-7f3x"],"references":[{"type":"FIX","url":"https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x"},{"type":"FIX","url":"https://github.com/mercurius-js/mercurius/issues/677"},{"type":"FIX","url":"https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mercurius-js/mercurius","events":[{"introduced":"3b861dd8c35c09568b65d8293e4206bba9a23213"},{"fixed":"d34a103fd9fe3df941acdd6072c6a602d235fcbb"}],"database_specific":{"versions":[{"introduced":"8.10.0"},{"fixed":"8.11.2"}]}}],"versions":["v8.10.0","v8.11.0","v8.11.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43801.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}