GHSA-273r-rm8g-7f3x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-273r-rm8g-7f3x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-273r-rm8g-7f3x/GHSA-273r-rm8g-7f3x.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-273r-rm8g-7f3x
- Aliases
- Related
- Published
- 2021-12-13T21:33:04Z
- Modified
- 2026-01-30T02:09:47.468776Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Uncaught Exception in mercurius
- Details
-
Impact
Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to
/graphqlunless they are using a custom error handler.Patches
The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2.
Workarounds
Use a custom error handler.
References
See https://github.com/mercurius-js/mercurius/issues/677
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/mercurius-js/mercurius * Email us at hello@matteocollina.com
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2021-12-13T20:15:00Z", "severity": "HIGH", "cwe_ids": [ "CWE-754" ], "github_reviewed_at": "2021-12-13T20:20:28Z" }- References
-
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x
- https://nvd.nist.gov/vuln/detail/CVE-2021-43801
- https://github.com/mercurius-js/mercurius/issues/677
- https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223
- https://github.com/mercurius-js/mercurius
Affected packages
npm / mercurius
Package
- Name
- mercurius
- View open source insights on deps.dev
- Purl
- pkg:npm/mercurius