cvedb.io
CVE-2025-64166
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-03-05T16:16:11.310 · Last modified 2026-06-17T09:53:56.630

Summary

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.

Affected products

mercurius_project — mercurius

Does this affect you?

Add your gear to cvedb and we'll alert you only when mercurius_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.