Mercurius, Query Depth Bypass, CVE-2026-12345 (Low)

Listen to this Post

The vulnerability arises from inconsistent enforcement of security controls within Mercurius, a GraphQL adapter for Fastify. The software implements a `queryDepth` limit to prevent clients from submitting overly complex queries that could exhaust server resources. This check is correctly invoked during the validation phase for standard GraphQL operations received over HTTP (queries and mutations). However, the function responsible for validating the depth of a query is not called when processing subscription operations established over a WebSocket connection. Consequently, an attacker can initiate a WebSocket connection and send a subscription payload containing a GraphQL query with an extremely deep nesting structure. Because the depth validation is skipped, the server parses the query and registers it. Each time a subscription event is triggered, the server must resolve data for that deeply nested query. On a schema that contains recursive relationships (e.g., a user with friends who are also users), resolving this nested structure can lead to exponential resource consumption (CPU and memory), resulting in a Denial of Service (DoS) condition. The patch would involve ensuring the depth validation routine is also executed on the query document received during the WebSocket subscription handshake.

dailycve form:

Platform: Mercurius
Version: prior unspecified
Vulnerability : queryDepth bypass
Severity: Low
date: 2026-03-06

Prediction: Already patched

What Undercode Say:

Analytics:

  • Affected Component: GraphQL subscription handler over WebSocket.
  • Vulnerability Type: Security control bypass leading to resource exhaustion.
  • Attack Vector: Remote, unauthenticated WebSocket connection.
  • Prerequisite: GraphQL schema with recursive or deeply nestable types.
  • Root Cause: Missing validation hook in the subscription execution path.

Exploit:

Example using a WebSocket client (websocat) to send a malicious subscription payload
This payload attempts to exploit a recursive 'friend' field to cause deep nesting
echo '{
"type": "subscribe",
"id": "1",
"payload": {
"query": "subscription { newUser { name friends { name friends { name friends { name friends { name } } } } } }"
}
}' | websocat ws://target-graphql-server.com/graphql

Protection from this CVE:

Immediate Workaround: Disable subscriptions entirely in the Mercurius configuration.
const app = require('fastify')();
const mercurius = require('mercurius');
app.register(mercurius, {
schema: yourSchema,
resolvers: yourResolvers,
subscription: false // <-- Disable WebSocket subscriptions
});
Long-term Fix: Apply vendor patch and verify depth limiting middleware is applied to all operation types.
Ensure the depthLimit function is integrated into the subscription validation pipeline.
const depthLimit = require('graphql-depth-limit');
app.register(mercurius, {
schema: yourSchema,
resolvers: yourResolvers,
validationRules: [depthLimit(10)] // Apply rule globally
});

Impact:

Denial of Service. A remote, unauthenticated attacker can crash the GraphQL server or make it unresponsive by sending a single malicious subscription request over WebSocket, affecting all users relying on the service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Parse Server, File Creation/Deletion Bypass, CVE-2026-30228 (Moderate)

Scroll to Top