Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius versions through 8.13.1 and 9.0.0 through 11.4.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to "/graphql". This issue was patched in #940. As a workaround, users can disable subscriptions.
CWE-248 - Uncaught Exception
An exception is thrown from a function, but it is not caught.