Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests.
Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
Attack Parameters
Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
Required
Нужно действие пользователя
Impact Assessment
Confidentiality
Low
Частичная утечка данных
Integrity
Low
Частичная модификация данных
Availability
None
Нет нарушения работы
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af0…
security-advisories@github.com
https://github.com/mercurius-js/mercurius/pull/1187
security-advisories@github.com
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc…
security-advisories@github.com