DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HWR4-MQ23-WCV5: GHSA-HWR4-MQ23-WCV5: Cache Key Collision and Authorization Bypass in Mercure Hub

#security #cve #cybersecurity #ghsa

GHSA-HWR4-MQ23-WCV5: Cache Key Collision and Authorization Bypass in Mercure Hub

Vulnerability ID: GHSA-HWR4-MQ23-WCV5
CVSS Score: 7.1
Published: 2026-04-08

The Mercure Hub's TopicSelectorStore is vulnerable to a cache key collision due to improper delimiter handling. This vulnerability enables an attacker to bypass authorization checks, leading to unauthorized access to private topic data or targeted denial-of-service conditions.

TL;DR

A delimiter injection vulnerability in Mercure Hub's cache mechanism allows authenticated attackers to access private topic data or cause denial of service via cache key collisions.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Improper Validation of Unsafe Equivalence in Input (CWE-1289)
  • Attack Vector: Network (Authenticated)
  • CVSS 4.0 Score: 7.1 (High)
  • Confidentiality Impact: High
  • Exploit Maturity: Proof of Concept (PoC)
  • Fixed Version: v0.22.0

Affected Systems

  • Mercure Hub (github.com/dunglas/mercure)
  • Mercure Hub: < 0.22.0 (Fixed in: v0.22.0)

Code Analysis

Commit: 4964a69

Replaces string concatenation with strongly typed matchCacheKey struct to prevent delimiter injection.

--- a/topicselector.go
+++ b/topicselector.go
@@ -x,x +y,y @@
-var b strings.Builder
-b.Grow(3 + len(topicSelector) + len(topic))
-b.WriteString("m_")
-b.WriteString(topicSelector)
-b.WriteByte('_')
-b.WriteString(topic)
-k = b.String()
+k := matchCacheKey{topicSelector: topicSelector, topic: topic}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Official GitHub Repository: The official fix commit includes a comprehensive test case (TestMatchCacheKeyNoCollision) that demonstrates how the collision occurs.

Mitigation Strategies

  • Upgrade the Mercure Hub binary/container to version 0.22.0 or higher.
  • Audit existing publisher and subscriber access tokens to enforce the principle of least privilege.
  • Review current topic naming conventions for unnecessary complexity or overlapping namespace structures.

Remediation Steps:

  1. Verify the current version of the Mercure Hub running in production.
  2. Download the release binary for v0.22.0 or pull the corresponding Docker image tag.
  3. Deploy the updated binary/container to a staging environment and run integration tests.
  4. Execute a rolling restart of the production Mercure instances to apply the patch without dropping active connections.

References

Read the full report for GHSA-HWR4-MQ23-WCV5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)