Mercurius
Monthly
Mercurius versions prior to 16.8.0 fail to validate GraphQL subscription query depth limits over WebSocket connections, allowing remote attackers to bypass depth restrictions that are properly enforced for HTTP queries. An attacker can exploit this to submit arbitrarily nested subscription queries that cause denial of service through exponential data resolution on schemas with recursive types. A patch is available in version 16.8.0.
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misint...
Mercurius versions prior to 16.8.0 fail to validate GraphQL subscription query depth limits over WebSocket connections, allowing remote attackers to bypass depth restrictions that are properly enforced for HTTP queries. An attacker can exploit this to submit arbitrarily nested subscription queries that cause denial of service through exponential data resolution on schemas with recursive types. A patch is available in version 16.8.0.
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misint...