CVE-2025-64166 in mercurius
Summary
by MITRE • 03/05/2026
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2025-64166 affects Mercurius, a GraphQL adapter for the Fastify web framework that enables GraphQL API implementations within Node.js applications. This security flaw represents a significant concern for applications relying on Mercurius for their GraphQL endpoints, as it exposes systems to cross-site request forgery attacks that could compromise user sessions and execute unauthorized operations. The vulnerability specifically impacts versions prior to 16.4.0, indicating that organizations using older versions of the adapter are at risk of exploitation.
The technical root cause of this vulnerability lies in the improper parsing of Content-Type headers within the request processing pipeline of Mercurius. When HTTP requests arrive with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain, the adapter fails to correctly identify these as distinct content types rather than treating them as application/json. This misclassification occurs at the middleware level where request validation and processing logic resides, creating a fundamental parsing error that undermines the security controls designed to protect against CSRF attacks. The flaw demonstrates a classic case of inadequate input validation and type checking within the HTTP request handling mechanism.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential complete session hijacking and unauthorized administrative actions. When the fetch() API's preflight checks are bypassed due to the Content-Type misinterpretation, authenticated users become vulnerable to CSRF attacks that can execute malicious operations without their knowledge or consent. Attackers can craft malicious requests that appear to originate from legitimate authenticated sessions, exploiting the fact that browsers automatically include cookies and authentication tokens with requests to the same origin. This vulnerability particularly affects applications where GraphQL endpoints handle sensitive operations such as user profile modifications, data deletions, or administrative functions that require proper authorization verification.
The security implications align with CWE-346, which addresses "Origin Validation Error", and reflects patterns commonly found in CSRF vulnerabilities where the application fails to properly validate the source and intended destination of requests. From an ATT&CK framework perspective, this vulnerability maps to T1566.001 - "Phishing via Service" and T1071.004 - "Application Layer Protocol: DNS" in the context of how attackers might leverage the misconfigured Content-Type handling to craft deceptive requests. The vulnerability also demonstrates characteristics of T1531 - "Account Access Removal", where unauthorized actions can be performed on behalf of legitimate users. Organizations should consider implementing additional security controls such as CSRF tokens, SameSite cookie attributes, and proper Content-Type validation at the network level to provide defense in depth against this class of attack.
Mitigation strategies should begin with immediate deployment of Mercurius version 16.4.0 or later, which contains the necessary patches to properly handle Content-Type header parsing. Organizations should also implement comprehensive input validation at multiple layers including API gateways, reverse proxies, and application-level middleware to prevent similar parsing errors from occurring. Network-level protections such as Web Application Firewalls can provide additional detection and blocking capabilities for malformed requests attempting to exploit this vulnerability. Security teams should conduct thorough penetration testing and code reviews to identify any other potential parsing issues within their GraphQL implementations and related middleware components. Regular security updates and vulnerability assessments should be maintained to prevent similar issues from emerging in other components of the application stack.