CVE-2025-64166

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c	Patch
https://github.com/mercurius-js/mercurius/pull/1187	Issue Tracking Patch
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57	Exploit Patch Vendor Advisory
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mercurius_project:mercurius:*:*:*:*:*:node.js:*:*

History

13 Mar 2026, 18:05

Type	Values Removed	Values Added
Summary		(es) Mercurius es un adaptador GraphQL para Fastify. Antes de la versión 16.4.0, se identificó una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF). El problema surge del análisis incorrecto del encabezado Content-Type en las peticiones. Específicamente, las peticiones con valores de Content-Type como application/x-www-form-urlencoded, multipart/form-data o text/plain podrían ser malinterpretadas como application/json. Esta mala interpretación omite las comprobaciones previas realizadas por la API fetch(), lo que podría permitir que se realicen acciones no autorizadas en nombre de un usuario autenticado. Este problema ha sido parcheado en la versión 16.4.0.
CPE		cpe:2.3:a:mercurius_project:mercurius::::::node.js::*
First Time		Mercurius Project Mercurius Project mercurius
References	~~() https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c -~~	() https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c - Patch
References	~~() https://github.com/mercurius-js/mercurius/pull/1187 -~~	() https://github.com/mercurius-js/mercurius/pull/1187 - Issue Tracking, Patch
References	~~() https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57 -~~	() https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57 - Exploit, Patch, Vendor Advisory

05 Mar 2026, 19:16

Type	Values Removed	Values Added
References	~~() https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57 -~~	() https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57 -

05 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 16:16

Updated : 2026-03-13 18:05

NVD link : CVE-2025-64166

Mitre link : CVE-2025-64166

CVE.ORG link : CVE-2025-64166

JSON object : View

Products Affected

mercurius_project

mercurius

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

5.4 /10