CVE-2025-64166

5.4 MEDIUM
Published: March 05, 2026 Modified: March 13, 2026
View on NVD

Description

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c
Source: security-advisories@github.com
Patch
https://github.com/mercurius-js/mercurius/pull/1187
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57
Source: security-advisories@github.com
Exploit Patch Vendor Advisory
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Patch Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.0%
0th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-352

Affected Vendors

mercurius_project

Related CVEs

CVE-2026-4261 8.8
CVE-2026-4161 4.4
CVE-2026-4143 4.3
CVE-2026-4127 5.3
CVE-2026-4087 6.5