Vulnerability Description
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mercurius Project | Mercurius | < 16.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01Patch
- https://github.com/mercurius-js/mercurius/pull/1187Issue TrackingPatch
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc5ExploitPatchVendor Advisory
- https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc5ExploitPatchVendor Advisory
FAQ
What is CVE-2025-64166?
CVE-2025-64166 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type heade...
How severe is CVE-2025-64166?
CVE-2025-64166 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64166?
Check the references section above for vendor advisories and patch information. Affected products include: Mercurius Project Mercurius.