CVE-2026-30241: Mercurius's queryDepth limit bypassed for WebSocket subscriptions

March 6, 2026 (updated March 9, 2026)

Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event.

References

github.com/advisories/GHSA-m4h2-mjfm-mp55
github.com/mercurius-js/mercurius
github.com/mercurius-js/mercurius/commit/5b56f60f4b0d60780b0ff499a479bd830bdd6986
github.com/mercurius-js/mercurius/security/advisories/GHSA-m4h2-mjfm-mp55
nvd.nist.gov/vuln/detail/CVE-2026-30241

Code Behaviors & Features

Detect and mitigate CVE-2026-30241 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →