Impact
Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.
Patches
This was patched in https://github.com/mercurius-js/mercurius/pull/940.
The patch was released as v11.5.0 and v8.13.2.
Workarounds
Disable subscriptions.
References
Reported publicly as https://github.com/mercurius-js/mercurius/issues/939.
The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228
References
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc
- https://nvd.nist.gov/vuln/detail/CVE-2023-22477
- https://github.com/mercurius-js/mercurius/issues/939
- https://github.com/fastify/fastify-websocket/pull/228
- https://github.com/mercurius-js/mercurius/pull/940
- https://github.com/advisories/GHSA-cm8h-q92v-xcfc