Primary

Context

Mercurius Cross-Site Request Forgery Vulnerability

Vulnerability

Patched

A Cross-Site Request Forgery (CSRF) vulnerability exists in Mercurius, a GraphQL adapter for Fastify, in versions prior to 16.4.0. The issue stems from improper handling of the Content-Type header, allowing requests with certain Content-Type values to be incorrectly interpreted as application/json. This misinterpretation can bypass CORS preflight checks, potentially enabling unauthorized actions on behalf of authenticated users.

Impact

Exploitation of this vulnerability could lead to CSRF attacks, allowing unauthorized actions to be performed on behalf of an authenticated user.

Reproduction

To reproduce this vulnerability, send a POST request to a GraphQL endpoint with a Content-Type header of 'application/x-www-form-urlencoded', 'multipart/form-data', or 'text/plain'. The request will be misinterpreted as 'application/json', bypassing CORS protections and allowing CSRF attacks.

Remediation

Users can update to Mercurius version 16.4.0 or later, where this vulnerability has been patched.

Added: Mar 5, 2026, 4:20 PM

Updated: Mar 5, 2026, 4:20 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

7.3

remediation

7.7

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

7.3

remediation

7.7

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mercurius Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Mercurius

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating