CVE-2021-43801 in Mercurius
Summary
by MITRE • 12/13/2021
Mercurius is a GraphQL adapter for Fastify. Any users from [email protected] to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/16/2021
Mercurius serves as a GraphQL adapter for the Fastify web framework, enabling developers to integrate GraphQL capabilities into their applications seamlessly. This adapter facilitates the processing of GraphQL queries through the Fastify HTTP server, making it a critical component in many modern web applications that rely on GraphQL for API communication. The vulnerability affects versions ranging from 8.0.0 through 8.11.1, creating a significant security concern for organizations using this particular version range in their production environments.
The technical flaw resides in the GraphQL query parsing mechanism within Mercurius, specifically when handling malformed JSON payloads sent to the /graphql endpoint. This vulnerability represents a classic denial of service condition where an attacker can craft malicious JSON input that causes the GraphQL adapter to crash or become unresponsive. The issue occurs because the adapter lacks proper input validation and error handling for malformed JSON structures, allowing malicious actors to exploit this weakness through carefully crafted requests. This behavior aligns with CWE-400, which categorizes improper input validation as a primary cause of denial of service vulnerabilities.
The operational impact of this vulnerability extends beyond simple service disruption, as it can potentially be leveraged for more sophisticated attacks within a broader exploitation framework. Attackers can exploit this weakness to render GraphQL endpoints unavailable to legitimate users, effectively causing service degradation or complete unavailability of the application's GraphQL interface. The vulnerability affects all users of affected Mercurius versions unless they have implemented custom error handlers, which provides a temporary workaround by bypassing the default error handling mechanism that contains the flaw.
Security practitioners should note that this vulnerability fits within the ATT&CK framework under the T1499.004 technique for Network Denial of Service, as it specifically targets network availability through malformed request processing. The attack surface is particularly concerning for applications that expose GraphQL endpoints publicly, as these endpoints often serve as critical API interfaces for mobile applications, single page applications, and other client-side systems. Organizations using Mercurius in production environments must urgently upgrade to version 8.11.2 or implement custom error handlers to mitigate this risk. The fix implemented in version 8.11.2 addresses the core parsing issue by enhancing input validation and implementing more robust error handling mechanisms that prevent malformed JSON from causing service disruption. This vulnerability demonstrates the importance of proper input validation in API gateways and GraphQL implementations, highlighting how seemingly minor parsing flaws can result in significant availability impacts.