Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by…
GitHub_M·CWE-754·Published 2021-12-13
Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.
Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.
### Impact Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. ### Patches The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. ### Workarounds Use a custom error handler. ### References See https://github.com/mercurius-js/mercurius/issues/677 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/mercurius-js/mercurius * Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)
### Impact Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. ### Patches The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. ### Workarounds Use a custom error handler. ### References See https://github.com/mercurius-js/mercurius/issues/677 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/mercurius-js/mercurius * Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)
Mercurius es un adaptador GraphQL para Fastify. Cualquier usuario de Mercurius@ versiones 8.10.0 a 8.11.1, está sujeto a un ataque de denegación de servicio mediante el envío de un JSON malformado a "/graphql" a menos que esté usando un administrador de errores personalizado. La vulnerabilidad ha sido corregida en https://github.com/mercurius-js/mercurius/pull/678 y ha sido distribuida en la versión 8.11.2. Como solución, los usuarios pueden usar un administrador de errores personalizado
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |