CVE-2021-43801 Explained : Impact and Mitigation
Learn about CVE-2021-43801 affecting Mercurius GraphQL adapter. Users of versions 8.10.0 to 8.11.1 were at risk. Upgrade to v8.11.2 and implement a custom error handler for protection.
Mercurius is a GraphQL adapter for Fastify that was vulnerable to a denial of service attack. Users of versions 8.10.0 to 8.11.1 were at risk. The issue has been resolved in version 8.11.2.
Understanding CVE-2021-43801
Mercurius users were susceptible to a denial of service attack due to improper handling of input.
What is CVE-2021-43801?
- Mercurius@8.10.0 to 8.11.1 users could face a denial of service attack by sending malformed JSON to
/graphql- The vulnerability is fixed in v8.11.2
The Impact of CVE-2021-43801
- CVSS Score: 7.5 (High)
- Attack Vector: Network
- Availability Impact: High
- CWE-754: Improper Check for Unusual or Exceptional Conditions
Technical Details of CVE-2021-43801
Mercurius vulnerability details and affected systems.
Vulnerability Description
- Users of Mercurius@8.10.0 to 8.11.1 were vulnerable to a denial of service attack by sending malformed JSON to
/graphqlAffected Systems and Versions
- Affected Product: Mercurius
- Vendor: mercurius-js
- Affected Versions: >= 8.10.0, < 8.11.2
Exploitation Mechanism
- Attackers could exploit the vulnerability by sending a specially crafted JSON payload to
/graphqlMitigation and Prevention
Protecting systems from CVE-2021-43801.
Immediate Steps to Take
- Upgrade Mercurius to version 8.11.2
- Implement a custom error handler as a workaround
Long-Term Security Practices
- Regularly update software and dependencies
- Implement proper input validation and error handling
- Monitor for unusual network activity
Patching and Updates
- Apply patches promptly