Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
2.7

Mercurius GraphQL Adapter Fails to Enforce Depth Limits on WebSocket Queries

GHSA-m4h2-mjfm-mp55 CVE-2026-30241 GHSA-m4h2-mjfm-mp55
Summary

Mercurius, a GraphQL adapter for Fastify, had a bug that allowed a malicious client to submit overly complex GraphQL queries over WebSockets, potentially causing a denial of service. This issue has been fixed in version 16.8.0. Make sure to update Mercurius to the latest version to protect your application from this vulnerability.

What to do
  • Update mercurius to version 16.8.0.
Affected software
VendorProductAffected versionsFix available
mercurius <= 16.8.0 16.8.0
mercurius_project mercurius <= 16.8.0
Original title
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. ...
Original description
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0.
ghsa CVSS4.0 2.7
Vulnerability type
CWE-863 Incorrect Authorization
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026