GHSA-cm8h-q92v-xcfc

Опубликовано: 09 янв. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

mercurius has Uncaught Exception when using subscriptions

Impact

Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.

Patches

This was patched in https://github.com/mercurius-js/mercurius/pull/940. The patch was released as v11.5.0 and v8.13.2.

Workarounds

Disable subscriptions.

References

Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228

Ссылки

Пакеты

Наименование

mercurius

npm

Затронутые версииВерсия исправления

>= 9.0.0, < 11.5.0

11.5.0

Наименование

mercurius

npm

Затронутые версииВерсия исправления

< 8.13.2

8.13.2

EPSS

Процентиль: 48%

0.00247

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2023-22477

Дефекты

CWE-248

Связанные уязвимости

CVE-2023-22477

CVSS3: 5.3

nvd

около 3 лет назад

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

EPSS

Процентиль: 48%

0.00247

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2023-22477

Дефекты

CWE-248