CVE-2026-30241 Overview
CVE-2026-30241 is a GraphQL Vulnerability affecting Mercurius, a popular GraphQL adapter for Fastify. The vulnerability exists because Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. While the depth check is correctly applied to HTTP queries and mutations, subscription queries are parsed and executed without invoking the depth validation, allowing attackers to bypass intended security restrictions.
Critical Impact
Remote attackers can submit arbitrarily deeply nested subscription queries over WebSocket, bypassing depth restrictions. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event.
Affected Products
- Mercurius versions prior to 16.8.0
- Mercurius for Node.js applications using WebSocket subscriptions
- Applications with recursive GraphQL types and queryDepth limits configured
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-30241 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30241
Vulnerability Analysis
This vulnerability represents an Incorrect Authorization (CWE-863) issue where the security control responsible for enforcing query depth limits operates inconsistently across different transport mechanisms. The Mercurius GraphQL adapter implements query depth validation as a protective measure against resource exhaustion attacks, but this validation is only triggered for standard HTTP-based GraphQL operations.
When a client establishes a WebSocket connection for GraphQL subscriptions, the incoming subscription queries bypass the depth validation logic entirely. This creates a security gap where the same deeply nested query that would be rejected over HTTP is accepted and executed when submitted as a subscription over WebSocket.
The network-accessible nature of this vulnerability means any remote client capable of establishing a WebSocket connection can exploit this flaw without authentication. The primary impact is on system availability, as deeply nested queries on recursive schema types can trigger exponential data resolution, consuming server resources and potentially causing denial of service conditions.
Root Cause
The root cause lies in the architectural separation between HTTP and WebSocket query processing within Mercurius. The depth validation middleware was implemented specifically for the HTTP request handling path but was not integrated into the WebSocket subscription handler. This oversight means that while the queryDepth configuration option exists and functions for standard queries, the WebSocket subscription path does not call the same validation function before executing incoming subscription queries.
Attack Vector
The attack vector is network-based, requiring no user interaction or special privileges. An attacker can exploit this vulnerability by:
- Connecting to the target application's WebSocket endpoint used for GraphQL subscriptions
- Crafting a subscription query with nesting depth exceeding the configured queryDepth limit
- Submitting the deeply nested subscription query over the WebSocket connection
- Triggering subscription events that cause the server to resolve the excessively nested query structure
On schemas containing recursive types (such as self-referential relationships), each subscription event forces the server to traverse and resolve the deeply nested query tree. This can lead to exponential resource consumption, effectively causing a denial of service condition that persists as long as the subscription remains active and events are triggered.
The vulnerability is particularly dangerous in applications that have intentionally configured queryDepth limits as a security measure, as administrators may have a false sense of protection while WebSocket subscriptions remain unprotected.
Detection Methods for CVE-2026-30241
Indicators of Compromise
- Unusual WebSocket connection patterns with high-frequency subscription requests
- Server resource exhaustion (CPU and memory spikes) coinciding with active GraphQL subscriptions
- Error logs indicating slow query resolution or timeout conditions during subscription events
- Network traffic analysis showing deeply nested GraphQL subscription payloads over WebSocket
Detection Strategies
- Monitor WebSocket connections for GraphQL subscription queries that exceed expected nesting depths
- Implement application-level logging to track subscription query complexity metrics
- Deploy GraphQL-aware intrusion detection rules that analyze query structure regardless of transport
- Compare resource utilization patterns between HTTP GraphQL operations and WebSocket subscriptions
Monitoring Recommendations
- Enable verbose logging for the Mercurius GraphQL layer to capture all incoming subscription queries
- Set up alerting for abnormal memory or CPU consumption on servers handling GraphQL workloads
- Implement query analysis middleware that logs depth metrics for all GraphQL operations including subscriptions
- Monitor WebSocket connection duration and subscription activity for anomalous patterns
How to Mitigate CVE-2026-30241
Immediate Actions Required
- Upgrade Mercurius to version 16.8.0 or later immediately
- Review application logs for evidence of exploitation attempts involving deeply nested subscriptions
- Consider temporarily disabling WebSocket subscriptions if upgrade is not immediately possible
- Implement network-level rate limiting on WebSocket endpoints as a defense-in-depth measure
Patch Information
The vulnerability has been patched in Mercurius version 16.8.0. The fix ensures that the queryDepth validation is consistently applied to all GraphQL operations regardless of the transport mechanism. The patch commit (5b56f60f4b0d60780b0ff499a479bd830bdd6986) integrates depth checking into the WebSocket subscription handling path.
For detailed patch information, refer to the GitHub Security Advisory and the associated commit.
Workarounds
- Implement custom middleware to validate query depth for WebSocket subscriptions before processing
- Use a reverse proxy or API gateway with GraphQL inspection capabilities to enforce depth limits
- Restrict WebSocket subscription access to authenticated users only as a compensating control
- Consider implementing query cost analysis as an additional layer of protection beyond depth limits
The vulnerability mechanism involves bypassing the configured queryDepth limit specifically for WebSocket subscription queries. The recommended mitigation is upgrading to the patched version, but if immediate upgrade is not feasible, implementing custom depth validation in subscription resolvers or restricting WebSocket access can provide temporary protection. See the GitHub Security Advisory for additional technical details on implementing workarounds.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
