CVE-2025-64166

Published: Mar 5, 2026Modified: Mar 13, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: security-advisories@github.com (Secondary)

Description

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.

Affected (1)

Products: Mercurius Project: Mercurius

Mercurius Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mercurius Project Mercurius	Before 16.4.0

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c

Source: security-advisories@github.com

Patch

https://github.com/mercurius-js/mercurius/pull/1187

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57

Source: security-advisories@github.com

ExploitPatchVendor Advisory

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitPatchVendor Advisory

Timeline

No history available yet.