CVE-2025-64166
Received Received - Intake
CSRF Vulnerability in Mercurius GraphQL Adapter via Content-Type Parsing

Publication date: 2026-03-05

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64166
EUVD
EUVD-2025-208313
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mercurius_project mercurius to 16.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-64166 is a Cross-Site Request Forgery (CSRF) vulnerability in Mercurius, a GraphQL adapter for Fastify. The vulnerability arises because Mercurius incorrectly parses the Content-Type header in HTTP requests. Specifically, requests with Content-Type values like application/x-www-form-urlencoded, multipart/form-data, or text/plain are mistakenly treated as application/json. This misinterpretation bypasses the preflight checks normally enforced by the fetch() API, allowing malicious cross-origin requests to be processed as legitimate JSON requests.

An attacker can exploit this by crafting a request that appears safe but is actually malicious, causing the server to execute unauthorized actions on behalf of an authenticated user without their consent. This vulnerability was fixed in Mercurius version 16.4.0 by introducing CSRF prevention mechanisms that ensure requests trigger CORS preflight checks when necessary.

Impact Analysis

This vulnerability can allow attackers to perform unauthorized actions on behalf of authenticated users by bypassing security checks. Specifically, malicious cross-origin requests can be sent that the server mistakenly processes as legitimate JSON requests, potentially leading to unauthorized data modifications or operations within applications using Mercurius versions prior to 16.4.0.

The impact includes low confidentiality and integrity loss, as indicated by the CVSS score, meaning some sensitive data could be exposed or altered without authorization. However, availability is not affected. Since no privileges are required and the attack complexity is low, any user interaction could trigger these unauthorized actions, increasing the risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for HTTP requests to Mercurius GraphQL endpoints that use unsafe Content-Type headers such as application/x-www-form-urlencoded, multipart/form-data, or text/plain, which are incorrectly parsed as application/json. Requests that bypass CORS preflight checks but carry JSON payloads are suspicious.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by inspecting HTTP request headers and payloads for these characteristics and by monitoring for HTTP 400 responses indicating blocked CSRF attempts if CSRF prevention is enabled.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such requests include using network traffic analysis tools like tcpdump or tshark to filter HTTP POST requests with suspicious Content-Type headers, for example:'}, {'type': 'list_item', 'content': "tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Content-Type: application/x-www-form-urlencoded\\|Content-Type: multipart/form-data\\|Content-Type: text/plain'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" && (http.content_type == "application/x-www-form-urlencoded" || http.content_type == "multipart/form-data" || http.content_type == "text/plain")\' -T fields -e http.host -e http.request.uri -e http.content_type'}, {'type': 'paragraph', 'content': 'Additionally, enabling Mercurius CSRF prevention will cause malicious requests to be blocked with HTTP 400 errors, which can be logged and monitored to detect exploitation attempts.'}] [2, 3]

Mitigation Strategies

The primary mitigation is to upgrade Mercurius to version 16.4.0 or later, where the CSRF vulnerability has been fixed.

If upgrading immediately is not possible, you should enable the built-in CSRF prevention feature in Mercurius by setting the option csrfPrevention: true during Mercurius registration.

Configure CORS properly with allowed origins and credentials to complement CSRF protection.

Ensure that clients send requests with safe Content-Type headers such as application/json or include required custom headers (e.g., X-Mercurius-Operation-Name or Mercurius-Require-Preflight) to trigger CORS preflight checks.

Monitor logs for HTTP 400 responses indicating blocked CSRF attempts and update clients accordingly if they encounter CSRF errors.

As a best practice, always use HTTPS to protect against man-in-the-middle attacks and ensure secure communication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart