CVE-2025-64166 MEDIUM

CVE-2025-64166: Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Vendor Mercurius-Js
Product mercurius
Weakness CWE-352 · CSRF
Published March 5, 2026
Last update March 5, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 5, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-29453 WordPress API KEY for Google Maps plugin <= 1.2.1 - CSRF vulnerability leading to Google Maps API key update CVE-2023-25478 WordPress Weather Station Plugin <= 3.8.12 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-23532 WordPress MyAnime Widget plugin <= 1.0 - CSRF to Privilege Escalation vulnerability CVE-2023-25066 WordPress FV Flowplayer Video Player Plugin <= 7.5.30.7212 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-28876 WordPress Skrill Official plugin <= 1.0.66 - Cross Site Request Forgery (CSRF) vulnerability