### Impact
Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`.
### Patches
This was patched in https://github.com/mercurius-js/mercurius/pull/940.
The patch was released as v11.5.0 and v8.13.2.
### Workarounds
Disable subscriptions.
### References
Reported publicly as https://github.com/mercurius-js/mercurius/issues/939.
The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228Read More