Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/mercurius@0.0.6

Type npm

Namespace

Name mercurius

Version 0.0.6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 16.8.0

Latest_non_vulnerable_version 16.8.0

Affected_by_vulnerabilities

url VCID-9ana-umuc-vfh3

vulnerability_id VCID-9ana-umuc-vfh3

summary Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-30241

reference_id

reference_type

scores

value	0.0002
scoring_system	epss
scoring_elements	0.05706
published_at	2026-06-11T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05731
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-30241

reference_url

https://github.com/mercurius-js/mercurius

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/mercurius-js/mercurius

reference_url

https://github.com/mercurius-js/mercurius/commit/5b56f60f4b0d60780b0ff499a479bd830bdd6986

reference_id

5b56f60f4b0d60780b0ff499a479bd830bdd6986

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:44:23Z/

url

https://github.com/mercurius-js/mercurius/commit/5b56f60f4b0d60780b0ff499a479bd830bdd6986

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-30241

reference_id

CVE-2026-30241

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-30241

reference_url

https://github.com/advisories/GHSA-m4h2-mjfm-mp55

reference_id

GHSA-m4h2-mjfm-mp55

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m4h2-mjfm-mp55

reference_url

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-m4h2-mjfm-mp55

reference_id

GHSA-m4h2-mjfm-mp55

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:44:23Z/

url

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-m4h2-mjfm-mp55

fixed_packages

url	pkg:npm/mercurius@16.8.0
purl	pkg:npm/mercurius@16.8.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/mercurius@16.8.0

aliases CVE-2026-30241, GHSA-m4h2-mjfm-mp55

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9ana-umuc-vfh3

url VCID-s75m-nyf8-vyge

vulnerability_id VCID-s75m-nyf8-vyge

summary Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22477

reference_id

reference_type

scores

value	0.00247
scoring_system	epss
scoring_elements	0.48385
published_at	2026-06-13T12:55:00Z

value	0.00247
scoring_system	epss
scoring_elements	0.48231
published_at	2026-06-11T12:55:00Z

value	0.00247
scoring_system	epss
scoring_elements	0.48368
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22477

reference_url

https://github.com/fastify/fastify-websocket/pull/228

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/fastify/fastify-websocket/pull/228

reference_url

https://github.com/mercurius-js/mercurius

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/mercurius-js/mercurius

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22477

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22477

reference_url

https://github.com/mercurius-js/mercurius/issues/939

reference_id

939

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:02:16Z/

url

https://github.com/mercurius-js/mercurius/issues/939

reference_url

https://github.com/mercurius-js/mercurius/pull/940

reference_id

940

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:02:16Z/

url

https://github.com/mercurius-js/mercurius/pull/940

reference_url

https://github.com/advisories/GHSA-cm8h-q92v-xcfc

reference_id

GHSA-cm8h-q92v-xcfc

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cm8h-q92v-xcfc

reference_url

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc

reference_id

GHSA-cm8h-q92v-xcfc

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:02:16Z/

url

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-cm8h-q92v-xcfc

fixed_packages

url pkg:npm/mercurius@8.13.2

purl pkg:npm/mercurius@8.13.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ana-umuc-vfh3

vulnerability	VCID-szmm-tfdp-nfce

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mercurius@8.13.2

url pkg:npm/mercurius@11.5.0

purl pkg:npm/mercurius@11.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ana-umuc-vfh3

vulnerability	VCID-szmm-tfdp-nfce

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mercurius@11.5.0

aliases CVE-2023-22477, GHSA-cm8h-q92v-xcfc

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s75m-nyf8-vyge

url VCID-szmm-tfdp-nfce

vulnerability_id VCID-szmm-tfdp-nfce

summary Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64166

reference_id

reference_type

scores

value	8e-05
scoring_system	epss
scoring_elements	0.0069
published_at	2026-06-12T12:55:00Z

value	8e-05
scoring_system	epss
scoring_elements	0.00692
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64166

reference_url

https://github.com/mercurius-js/mercurius

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/mercurius-js/mercurius

reference_url

https://github.com/mercurius-js/mercurius/pull/1187

reference_id

1187

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-05T16:34:32Z/

url

https://github.com/mercurius-js/mercurius/pull/1187

reference_url

https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c

reference_id

962d402ec7a92342f4a1b7f5f04af01776838c3c

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-05T16:34:32Z/

url

https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-64166

reference_id

CVE-2025-64166

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-64166

reference_url

https://github.com/advisories/GHSA-v66j-6wwf-jc57

reference_id

GHSA-v66j-6wwf-jc57

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v66j-6wwf-jc57

reference_url

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57

reference_id

GHSA-v66j-6wwf-jc57

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-05T16:34:32Z/

url

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57

fixed_packages

url pkg:npm/mercurius@16.4.0

purl pkg:npm/mercurius@16.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ana-umuc-vfh3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mercurius@16.4.0

aliases CVE-2025-64166, GHSA-v66j-6wwf-jc57

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-szmm-tfdp-nfce

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mercurius@0.0.6

Package Instance