cve/2023/CVE-2023-22477.md

### [CVE-2023-22477](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22477)
![](https://img.shields.io/static/v1?label=Product&message=mercurius&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%2010.5.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-248%3A%20Uncaught%20Exception&color=brighgreen)

### Description

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/alopresto/epss_api_demo
- https://github.com/alopresto6m/epss_api_demo
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2023-22477](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22477)`
			`![](https://img.shields.io/static/v1?label=Product&message=mercurius&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%2010.5.0%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-248%3A%20Uncaught%20Exception&color=brighgreen)`

			`### Description`

			Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/alopresto/epss_api_demo`
			`- https://github.com/alopresto6m/epss_api_demo`