CVE-2023-22477: Uncaught Exception

January 9, 2023 (updated November 7, 2023)

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in #940. As a workaround, users can disable subscriptions.

References

github.com/advisories/GHSA-cm8h-q92v-xcfc
github.com/fastify/fastify-websocket/pull/228
github.com/mercurius-js/mercurius/issues/939
github.com/mercurius-js/mercurius/pull/940
github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc
nvd.nist.gov/vuln/detail/CVE-2023-22477

Detect and mitigate CVE-2023-22477 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →