Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Mercurius: Malicious requests can bypass security checks
GHSA-v66j-6wwf-jc57
CVE-2025-64166
Summary
Mercurius versions 16 are vulnerable to a security risk that can allow attackers to trick the system into performing unauthorized actions on behalf of an authenticated user. This can happen when a malicious request is made to a different website, bypassing security protections. To fix this, update to the latest version of Mercurius.
What to do
- Update matteo.collina mercurius to version 16.4.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| matteo.collina | mercurius | <= 16.3.0 | 16.4.0 |
Original title
Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Original description
### Summary
A Cross-Site Request Forgery (CSRF) vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the `Content-Type` header in requests. Specifically, requests with `Content-Type` values such as `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` could be misinterpreted as `application/json`. This misinterpretation bypasses the preflight checks performed by the `fetch()` API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user.
---
### Impact
An attacker could exploit this vulnerability by crafting a malicious request with a `Content-Type` that Fastify incorrectly parses as `application/json`. When such a request is made from a different origin, it bypasses the Cross-Origin Resource Sharing (CORS) protections, leading to a potential CSRF attack. This could result in unauthorized actions being performed on behalf of an authenticated user without their consent.
---
### Proof of Concept
```javascript
// Server-side Fastify setup
const Fastify = require('fastify');
const mercurius = require('mercurius');
const app = Fastify();
const schema = `
type Query {
hello(name: String): String
}
`;
const resolvers = {
Query: {
hello: (_, { name }) => `Hello ${name || 'World'}!`
}
};
app.register(mercurius, { schema, resolvers });
app.listen(3000, () => {
console.log('Server listening on http://localhost:3000');
});
```
```javascript
// Malicious client-side code
fetch('http://localhost:3000/graphql', {
method: 'POST',
body: JSON.stringify({ query: '{ hello(name: "attacker") }' }),
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
credentials: 'include'
});
```
In the above example, the malicious request is crafted to exploit the CSRF vulnerability by using a `Content-Type` that Fastify incorrectly parses as `application/json`.
---
### Mitigation
To address this vulnerability, CSRF protection has been implemented.
## References
* https://github.com/mercurius-js/mercurius/pull/1187
A Cross-Site Request Forgery (CSRF) vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the `Content-Type` header in requests. Specifically, requests with `Content-Type` values such as `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` could be misinterpreted as `application/json`. This misinterpretation bypasses the preflight checks performed by the `fetch()` API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user.
---
### Impact
An attacker could exploit this vulnerability by crafting a malicious request with a `Content-Type` that Fastify incorrectly parses as `application/json`. When such a request is made from a different origin, it bypasses the Cross-Origin Resource Sharing (CORS) protections, leading to a potential CSRF attack. This could result in unauthorized actions being performed on behalf of an authenticated user without their consent.
---
### Proof of Concept
```javascript
// Server-side Fastify setup
const Fastify = require('fastify');
const mercurius = require('mercurius');
const app = Fastify();
const schema = `
type Query {
hello(name: String): String
}
`;
const resolvers = {
Query: {
hello: (_, { name }) => `Hello ${name || 'World'}!`
}
};
app.register(mercurius, { schema, resolvers });
app.listen(3000, () => {
console.log('Server listening on http://localhost:3000');
});
```
```javascript
// Malicious client-side code
fetch('http://localhost:3000/graphql', {
method: 'POST',
body: JSON.stringify({ query: '{ hello(name: "attacker") }' }),
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
credentials: 'include'
});
```
In the above example, the malicious request is crafted to exploit the CSRF vulnerability by using a `Content-Type` that Fastify incorrectly parses as `application/json`.
---
### Mitigation
To address this vulnerability, CSRF protection has been implemented.
## References
* https://github.com/mercurius-js/mercurius/pull/1187
ghsa CVSS3.1
5.4
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc5...
- https://github.com/mercurius-js/mercurius/pull/1187
- https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01...
- https://nvd.nist.gov/vuln/detail/CVE-2025-64166
- https://github.com/advisories/GHSA-v66j-6wwf-jc57
Published: 5 Mar 2026 · Updated: 8 Mar 2026 · First seen: 6 Mar 2026