How serious is CVE-2025-64166?

This vulnerability has a CVSS score of 5.4 out of 10, classified as MEDIUM severity. No public exploit code has been identified yet.

Which products are affected by CVE-2025-64166?

Check the official CVE details for a complete list of affected products and versions.

How do I fix CVE-2025-64166?

To remediate CVE-2025-64166, check for security patches from the vendor. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2025-64166

Medium

|5.4

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

An attacker can exploit a flaw in Mercurius to perform unauthorized actions on behalf of an authenticated user by tricking their browser into sending a specially crafted request. This vulnerability occurs when the server incorrectly interprets certain types of requests, allowing the attacker to bypass security checks, but it only affects versions before 16.4.0.

Technical Description

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

Confidentiality ImpactLow

Integrity ImpactLow

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$741($500-$1K)

Vendor Response

Grade APatched in 0 days

Quick Information

Published

Mar 5, 2026

about 1 month ago

Last Modified

Mar 5, 2026

about 1 month ago