Mercurius is a GraphQL adapter designed for the Fastify web framework, facilitating GraphQL API implementation. Prior to version 16.4.0, mercurius contained a CSRF vulnerability (CVE-2025-64166) due to improper parsing of the Content-Type header in incoming HTTP requests. Specifically, when requests specify content types such as application/x-www-form-urlencoded, multipart/form-data, or text/plain, mercurius incorrectly treats them as application/json. This misinterpretation undermines the browser's fetch() API preflight mechanism, which relies on accurate Content-Type headers to enforce cross-origin request policies. Consequently, an attacker can craft malicious web pages that cause authenticated users to unknowingly perform unintended actions on vulnerable mercurius-powered GraphQL endpoints. The vulnerability does not require the attacker to have prior authentication but does require the victim to interact with a malicious site (user interaction). The impact primarily affects confidentiality and integrity by enabling unauthorized state-changing operations or data leakage. The flaw has been addressed in mercurius version 16.4.0 by correcting the Content-Type parsing logic to properly distinguish content types and enforce preflight checks. No known active exploits have been reported, but the vulnerability poses a significant risk to applications relying on mercurius versions before 16.4.0.

This vulnerability can lead to unauthorized actions being executed on behalf of authenticated users, potentially exposing sensitive data or altering application state without user consent. Organizations using mercurius in their GraphQL APIs may face data confidentiality breaches and integrity violations. While availability is not directly impacted, the unauthorized operations could indirectly affect service reliability or user trust. The ease of exploitation is moderate since it requires user interaction but no authentication or complex conditions. The scope includes all applications using mercurius versions prior to 16.4.0, which may be widespread given mercurius's popularity in Fastify-based GraphQL implementations. Exploitation could facilitate data leakage, privilege escalation within the application context, or unauthorized transactions, impacting sectors relying on secure API communications such as finance, healthcare, and e-commerce.

1. Upgrade mercurius to version 16.4.0 or later immediately to apply the official patch that corrects Content-Type parsing. 2. Implement strict Content-Type validation on the server side to reject or properly handle unexpected content types. 3. Employ additional CSRF protections such as anti-CSRF tokens or same-site cookies to reduce reliance on Content-Type checks alone. 4. Review and restrict CORS policies to limit cross-origin requests to trusted domains only. 5. Conduct security testing on GraphQL endpoints to detect improper request handling or CSRF vulnerabilities. 6. Educate developers on secure API design and the importance of proper header validation. 7. Monitor application logs for unusual request patterns that may indicate exploitation attempts. 8. If upgrading immediately is not feasible, consider implementing web application firewall (WAF) rules to detect and block suspicious content-type header manipulations.