Description
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0.
Published: 2026-03-06
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Mercurius is a GraphQL adapter for Fastify that enforces a queryDepth limit on client requests. Prior to version 16.8.0 the limit is applied to HTTP queries and mutations but is omitted for subscription queries received via WebSocket. An attacker can send a subscription with arbitrary nesting depth, causing the server to resolve deeply nested fields for every subscription event. This leads to a denial‑of‑service condition due to exponential data resolution when the schema contains recursive types.

Affected Systems

The issue affects Mercurius version 16.7.x and earlier. Any deployment using the mercurius npm package via Node.js that serves GraphQL subscriptions over WebSocket is vulnerable until the vendor releases version 16.8.0.

Risk and Exploitability

The CVSS score is 2.7, indicating low severity, implying a very small likelihood of exploitation in the wild. The EPSS score is less than 1%, indicating a very low probability of exploitation in the wild. The flaw can be exploited remotely by any client that can establish a WebSocket connection to the GraphQL endpoint; the injection of deeply nested subscription queries is the likely attack vector. Since the vulnerability is limited to subscription operations on WebSocket, an attacker needs prior access to a WebSocket‑enabled GraphQL server.

Generated by OpenCVE AI on April 18, 2026 at 09:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mercurius to version 16.8.0 or later.
  • Configure a stricter queryDepth limit for subscription queries, ensuring validation is enforced.
  • Monitor subscription activity and system resource usage for abnormal spikes; consider rate‑limiting WebSocket subscriptions.

Generated by OpenCVE AI on April 18, 2026 at 09:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m4h2-mjfm-mp55 Mercurius's queryDepth limit bypassed for WebSocket subscriptions
History

Thu, 12 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mercurius Project
Mercurius Project mercurius
CPEs cpe:2.3:a:mercurius_project:mercurius:*:*:*:*:*:node.js:*:*
Vendors & Products Mercurius Project
Mercurius Project mercurius
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mercurius-js
Mercurius-js mercurius
Vendors & Products Mercurius-js
Mercurius-js mercurius

Fri, 06 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0.
Title Mercurius: queryDepth limit bypassed for WebSocket subscriptions
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Mercurius-js Mercurius
Mercurius Project Mercurius
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:28.446Z

Reserved: 2026-03-04T17:23:59.799Z

Link: CVE-2026-30241

cve-icon Vulnrichment

Updated: 2026-03-09T20:47:26.257Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T22:16:01.587

Modified: 2026-03-12T15:16:45.377

Link: CVE-2026-30241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses