Mercurius-js is a GraphQL adapter designed to integrate with the Fastify web framework, enabling GraphQL API implementations. It includes a configurable queryDepth limit to prevent excessively nested queries that could degrade performance or cause denial of service. However, prior to version 16.8.0, mercurius fails to enforce this depth limit on GraphQL subscription queries transmitted over WebSocket connections. The depth validation logic is correctly applied to HTTP-based queries and mutations but is omitted for subscription queries, which are parsed and executed without invoking the depth check. This discrepancy allows remote clients to submit arbitrarily deeply nested subscription queries. On schemas that include recursive types, such deeply nested subscriptions can trigger exponential data resolution for each subscription event, significantly increasing server resource consumption and potentially causing denial of service. The vulnerability is classified under CWE-863 (Incorrect Authorization), reflecting the failure to enforce intended access control policies. The issue was publicly disclosed on March 6, 2026, with no known exploits in the wild. The vulnerability has a CVSS 4.0 base score of 2.7, indicating low severity, primarily due to the limited impact and ease of exploitation. The problem is resolved in mercurius version 16.8.0 by applying the depth validation uniformly to subscription queries over WebSocket.

The primary impact of this vulnerability is a denial of service (DoS) condition caused by resource exhaustion. Attackers can exploit the missing depth validation on subscription queries to submit deeply nested GraphQL subscriptions, which on recursive schemas can cause exponential data processing for each event. This can degrade server performance, increase latency, or cause crashes, disrupting service availability. Organizations running GraphQL APIs with mercurius versions prior to 16.8.0 and supporting subscriptions over WebSocket are at risk. Although the vulnerability does not allow data leakage or unauthorized data modification, the DoS impact can affect service reliability and user experience. The low CVSS score reflects the limited scope and impact, but high-volume or targeted attacks could still cause significant operational disruption. Since no authentication or user interaction is required, the attack surface includes any client able to connect to the WebSocket endpoint. This could affect public-facing APIs or internal services exposed to untrusted networks. The absence of known exploits suggests limited current threat activity, but the vulnerability should be addressed proactively.

The primary mitigation is to upgrade mercurius to version 16.8.0 or later, where the depth validation is correctly enforced on subscription queries over WebSocket. Organizations should audit their GraphQL APIs to identify mercurius versions in use and prioritize patching vulnerable instances. Additionally, implement WebSocket connection rate limiting and query complexity analysis to detect and block abnormal subscription query patterns. Monitoring resource usage and setting thresholds for subscription event processing can help detect potential abuse. Employ network-level controls to restrict access to subscription endpoints where possible. For schemas with recursive types, consider schema design reviews to limit recursion depth and complexity. Logging and alerting on unusually deep or complex subscription queries can provide early warning of exploitation attempts. Finally, maintain up-to-date dependency management and vulnerability scanning to detect and remediate similar issues promptly.