{"id":"CVE-2023-22477","summary":"Mercurius is vulnerable to denial of service (DoS) when using subscriptions","details":"Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.\n\n","aliases":["GHSA-cm8h-q92v-xcfc"],"modified":"2026-04-02T08:47:41.026641Z","published":"2023-01-09T14:12:24.837Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22477.json","cwe_ids":["CWE-248"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22477.json"},{"type":"ADVISORY","url":"https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22477"},{"type":"REPORT","url":"https://github.com/mercurius-js/mercurius/issues/939"},{"type":"FIX","url":"https://github.com/mercurius-js/mercurius/pull/940"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mercurius-js/mercurius","events":[{"introduced":"c0c0dd394e06b645f37f0d7f99564d0dc06179bb"},{"fixed":"7ea5e4aff90468678a7bbb6621b59e480242e19b"}]}],"versions":["v10.0.0","v10.1.0","v10.1.1","v10.2.0","v10.3.0","v10.4.0","v9.0.0","v9.1.0","v9.2.0","v9.3.0","v9.3.1","v9.3.2","v9.3.3","v9.3.4","v9.3.5","v9.3.6","v9.4.0","v9.5.0","v9.7.0","v9.8.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22477.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}