Browse all 4 CVE security advisories affecting mercurius-js. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Mercurius-js is a GraphQL-over-WebSockets library primarily used for building real-time APIs and subscription-based services. Historically, it has been susceptible to multiple Remote Code Execution (RCE) vulnerabilities, Cross-Site Scripting (XSS) flaws, and privilege escalation issues, particularly in versions prior to 12.0.0. The library's WebSocket implementation has been a recurring source of security concerns, with four CVEs recorded to date. While recent versions have addressed many critical issues, developers should maintain updated dependencies and implement proper input validation to mitigate potential risks in production environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-30241 | Mercurius: queryDepth limit bypassed for WebSocket subscriptions — mercuriusCWE-863 | 7.5 | - | 2026-03-06 |
| CVE-2025-64166 | Mercurius: Incorrect Content-Type parsing can lead to CSRF attack — mercuriusCWE-352 | 5.4 | Medium | 2026-03-05 |
| CVE-2023-22477 | Mercurius is vulnerable to denial of service (DoS) when using subscriptions — mercuriusCWE-248 | 5.3 | Medium | 2023-01-09 |
| CVE-2021-43801 | Uncaught Exception in mercurius — mercuriusCWE-754 | 7.5 | High | 2021-12-13 |
This page lists every published CVE security advisory associated with mercurius-js. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.