CVE-2025-64166

Name of the Vulnerable Software and Affected Versions Mercurius versions prior to 16.4.0

Description Mercurius, a GraphQL adapter for Fastify, was found to have a cross-site request forgery (CSRF) issue. The problem stems from the incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values like application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. The fetch() API is a modern interface for making network requests in web browsers. CORS (Cross-Origin Resource Sharing) protections are bypassed, potentially leading to a CSRF attack. A malicious request can be crafted with a Content-Type that Fastify incorrectly parses as application/json.

Recommendations Versions prior to 16.4.0 should be updated to version 16.4.0 or later.