Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests.
Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/mercurius-js/mercurius/commit/962d402ec7a92342f4a1b7f5f04af0…
security-advisories@github.com
https://github.com/mercurius-js/mercurius/pull/1187
security-advisories@github.com
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc…
security-advisories@github.com