Plattform
nodejs
Komponente
mercurius
Behoben in
16.4.1
16.4.0
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Mercurius versions prior to 16.4.0. This issue stems from a flaw in how the application parses the Content-Type header, potentially leading to unauthorized actions being performed on behalf of authenticated users. The vulnerability was published on 2026-03-05 and a fix is available in version 16.4.0.
The CSRF vulnerability in Mercurius allows an attacker to craft malicious requests that appear to originate from a legitimate user. By exploiting this flaw, an attacker could potentially perform actions such as modifying data, changing user settings, or executing unintended operations within the application. The impact is amplified if the application handles sensitive data or performs critical functions, as an attacker could leverage the vulnerability to gain unauthorized access or control. Successful exploitation requires the user to be authenticated and actively interacting with the application when the malicious request is triggered.
Exploitation context for CVE-2025-64166 is currently limited. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available. The vulnerability's impact depends heavily on the specific functionality exposed by the Mercurius application and the sensitivity of the data it handles.
Organizations and individuals using Mercurius in production environments, particularly those handling sensitive data or providing critical services, are at risk. Applications with weak CSRF protection or those relying on implicit trust in user-supplied data are especially vulnerable.
• nodejs / server: Monitor application logs for unusual requests with unexpected Content-Type headers (e.g., application/x-www-form-urlencoded when application/json is expected).
grep 'Content-Type: application/x-www-form-urlencoded' /var/log/mercurius/access.log• generic web: Use curl to test endpoints with manipulated Content-Type headers and observe the application's response.
curl -H "Content-Type: application/x-www-form-urlencoded" https://your-mercurius-app/sensitive-endpointdisclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64166 is to upgrade to Mercurius version 16.4.0 or later, which includes the fix for the Content-Type parsing issue. If upgrading immediately is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive requests or implementing stricter Content-Type validation on the server-side. Web Application Firewalls (WAFs) configured to detect and block suspicious CSRF attacks can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to submit a request with a manipulated Content-Type header and verifying that it is properly rejected.
Aktualisieren Sie die Mercurius-Bibliothek auf Version 16.4.0 oder höher. Diese Version behebt die CSRF-Schwachstelle, die durch die fehlerhafte Analyse des Content-Type-Headers verursacht wird. Das Update stellt sicher, dass Anfragen korrekt interpretiert werden und potenzielle Angriffe vermieden werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64166 is a Cross-Site Request Forgery vulnerability in Mercurius versions before 16.4.0, caused by incorrect Content-Type header parsing, potentially allowing unauthorized actions.
You are affected if you are using Mercurius versions prior to 16.4.0. Assess your deployment and upgrade as soon as possible.
Upgrade to Mercurius version 16.4.0 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2025-64166, but the lack of public PoCs does not guarantee it is not being targeted.
Refer to the official Mercurius project website or security advisories for the latest information and updates regarding CVE-2025-64166.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.