CVE-2025-64166
CSRF Vulnerability in Mercurius GraphQL Adapter via Content-Type Parsing
Publication date: 2026-03-05
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercurius_project | mercurius | to 16.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64166 is a Cross-Site Request Forgery (CSRF) vulnerability in Mercurius, a GraphQL adapter for Fastify. The vulnerability arises because Mercurius incorrectly parses the Content-Type header in HTTP requests. Specifically, requests with Content-Type values like application/x-www-form-urlencoded, multipart/form-data, or text/plain are mistakenly treated as application/json. This misinterpretation bypasses the preflight checks normally enforced by the fetch() API, allowing malicious cross-origin requests to be processed as legitimate JSON requests.
An attacker can exploit this by crafting a request that appears safe but is actually malicious, causing the server to execute unauthorized actions on behalf of an authenticated user without their consent. This vulnerability was fixed in Mercurius version 16.4.0 by introducing CSRF prevention mechanisms that ensure requests trigger CORS preflight checks when necessary.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on behalf of authenticated users by bypassing security checks. Specifically, malicious cross-origin requests can be sent that the server mistakenly processes as legitimate JSON requests, potentially leading to unauthorized data modifications or operations within applications using Mercurius versions prior to 16.4.0.
The impact includes low confidentiality and integrity loss, as indicated by the CVSS score, meaning some sensitive data could be exposed or altered without authorization. However, availability is not affected. Since no privileges are required and the attack complexity is low, any user interaction could trigger these unauthorized actions, increasing the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for HTTP requests to Mercurius GraphQL endpoints that use unsafe Content-Type headers such as application/x-www-form-urlencoded, multipart/form-data, or text/plain, which are incorrectly parsed as application/json. Requests that bypass CORS preflight checks but carry JSON payloads are suspicious.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by inspecting HTTP request headers and payloads for these characteristics and by monitoring for HTTP 400 responses indicating blocked CSRF attempts if CSRF prevention is enabled.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such requests include using network traffic analysis tools like tcpdump or tshark to filter HTTP POST requests with suspicious Content-Type headers, for example:'}, {'type': 'list_item', 'content': "tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Content-Type: application/x-www-form-urlencoded\\|Content-Type: multipart/form-data\\|Content-Type: text/plain'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" && (http.content_type == "application/x-www-form-urlencoded" || http.content_type == "multipart/form-data" || http.content_type == "text/plain")\' -T fields -e http.host -e http.request.uri -e http.content_type'}, {'type': 'paragraph', 'content': 'Additionally, enabling Mercurius CSRF prevention will cause malicious requests to be blocked with HTTP 400 errors, which can be logged and monitored to detect exploitation attempts.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Mercurius to version 16.4.0 or later, where the CSRF vulnerability has been fixed.
If upgrading immediately is not possible, you should enable the built-in CSRF prevention feature in Mercurius by setting the option csrfPrevention: true during Mercurius registration.
Configure CORS properly with allowed origins and credentials to complement CSRF protection.
Ensure that clients send requests with safe Content-Type headers such as application/json or include required custom headers (e.g., X-Mercurius-Operation-Name or Mercurius-Require-Preflight) to trigger CORS preflight checks.
Monitor logs for HTTP 400 responses indicating blocked CSRF attempts and update clients accordingly if they encounter CSRF errors.
As a best practice, always use HTTPS to protect against man-in-the-middle attacks and ensure secure communication.