Mercurius is a GraphQL adapter designed for the Fastify web framework, facilitating GraphQL APIs with support for queries, mutations, and subscriptions. Prior to version 16.8.0, mercurius failed to enforce the configured queryDepth limit on subscription queries received via WebSocket connections. The queryDepth limit is a security control intended to restrict the maximum depth of nested GraphQL queries to prevent resource exhaustion and potential denial of service. While mercurius correctly applied this limit to HTTP-based queries and mutations, subscription queries—long-lived connections that push data updates—were parsed and executed without invoking the depth validation logic. This discrepancy allows remote clients to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On GraphQL schemas that include recursive types, such deeply nested subscription queries can cause exponential growth in data resolution workload for each subscription event, leading to denial of service by overwhelming server resources. The vulnerability is identified as CWE-863 (Incorrect Authorization), as the enforcement of query depth limits is effectively an authorization control that was not applied consistently. The issue requires no authentication or user interaction and can be exploited remotely. The vulnerability was assigned CVE-2026-30241 and has a CVSS 4.0 base score of 2.7 (low severity), reflecting limited impact and ease of exploitation but low overall risk. The flaw was patched in mercurius version 16.8.0 by ensuring the queryDepth limit is enforced uniformly across all query types, including subscriptions over WebSocket.

The primary impact of this vulnerability is a denial of service condition caused by resource exhaustion on servers running vulnerable versions of mercurius with GraphQL subscriptions enabled over WebSocket. Attackers can craft deeply nested subscription queries that bypass depth limits, causing exponential data resolution and high CPU/memory consumption on each subscription event. This can degrade service availability, cause server crashes, or force restarts, impacting application uptime and user experience. While the vulnerability does not directly expose sensitive data or allow privilege escalation, the denial of service can disrupt business operations, especially for real-time applications relying on GraphQL subscriptions. Organizations with high traffic or complex recursive GraphQL schemas are at greater risk. The low CVSS score reflects that exploitation does not compromise confidentiality or integrity and requires specific conditions (use of subscriptions over WebSocket). No known exploits are reported in the wild, but the vulnerability could be leveraged in targeted denial of service attacks against affected services.

To mitigate this vulnerability, organizations should upgrade mercurius to version 16.8.0 or later, where the issue is patched. If immediate upgrade is not feasible, consider disabling GraphQL subscriptions over WebSocket or restricting access to subscription endpoints via network controls or authentication to limit exposure. Implement additional rate limiting and query complexity analysis on subscription queries to detect and block unusually deep or complex queries. Review GraphQL schema design to minimize recursive types or deeply nested structures that could exacerbate resource consumption. Monitor server resource usage and logs for signs of abnormal subscription query patterns. Employ Web Application Firewalls (WAFs) or API gateways capable of enforcing query depth limits on WebSocket traffic. Finally, ensure that all GraphQL-related dependencies are kept up to date and that security patches are applied promptly.