CVE-2026-30241: CVE-2026-30241: Missing Query Depth Validation in Mercurius GraphQL Subscriptions

CVE-2026-30241: Missing Query Depth Validation in Mercurius GraphQL Subscriptions

Vulnerability ID: CVE-2026-30241
CVSS Score: 2.7
Published: 2026-03-06

A logic vulnerability in the Mercurius GraphQL adapter for Fastify allows attackers to bypass query depth limits using WebSocket subscriptions. While standard HTTP queries are validated against the configured queryDepth, subscription operations received via the WebSocket transport layer skip this check. This oversight allows unauthenticated remote attackers to submit arbitrarily nested queries, potentially leading to Denial of Service (DoS) via CPU and memory exhaustion when the subscription events are resolved.

TL;DR

Mercurius versions prior to 16.8.0 fail to apply queryDepth limits to GraphQL subscriptions over WebSockets. Attackers can exploit this to send deeply nested queries that exhaust server resources.

---

⚠️ Exploit Status: POC

Technical Details

• CVE ID: CVE-2026-30241
• CVSS v4.0: 2.7 (Low)
• CWE: CWE-863 (Incorrect Authorization)
• Attack Vector: Network (WebSocket)
• Impact: Denial of Service
• Exploit Status: PoC Available (Regression Test)

Affected Systems

• Mercurius GraphQL Adapter
• Fastify applications using Mercurius
• Node.js GraphQL servers using Mercurius subscriptions
• mercurius: < 16.8.0 (Fixed in: 16.8.0)

Code Analysis

Commit: 5b56f60

Fix: apply queryDepth validation to subscription queries

Exploit Details

• GitHub Commit: Regression test included in the fix commit demonstrates the vulnerability.

Mitigation Strategies

• Software Update
• Input Validation
• Resource Limiting

Remediation Steps:

1. Update the mercurius dependency to version 16.8.0 or higher via npm install mercurius@latest.
2. Verify that queryDepth is configured in the Mercurius registration options. Example: app.register(mercurius, { queryDepth: 10, ... }).
3. Audit GraphQL schemas to identify and potentially simplify unnecessary recursive relationships.
4. Consider implementing global rate limiting or cost analysis (e.g., graphql-cost-analysis) as a defense-in-depth measure alongside depth limiting.

References

• GHSA-m4h2-mjfm-mp55 Advisory
• Fix Commit
• CVE Record

---

Read the full report for CVE-2026-30241 on our website for more details including interactive diagrams and full exploit analysis.