Skip to main content

Uncaught Exception


Severity High
Score 7.5/10


Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius versions through 8.13.1 and 9.0.0 through 11.4.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to "/graphql". This issue was patched in #940. As a workaround, users can disable subscriptions.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-248 - Uncaught Exception

An exception is thrown from a function, but it is not caught.

Advisory Timeline

  • Published