Platform
nodejs
Component
mercurius
Fixed in
16.4.1
16.4.0
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Mercurius versions prior to 16.4.0. This issue stems from a flaw in how the application parses the Content-Type header, potentially leading to unauthorized actions being performed on behalf of authenticated users. The vulnerability was published on 2026-03-05 and a fix is available in version 16.4.0.
The CSRF vulnerability in Mercurius allows an attacker to craft malicious requests that appear to originate from a legitimate user. By exploiting this flaw, an attacker could potentially perform actions such as modifying data, changing user settings, or executing unintended operations within the application. The impact is amplified if the application handles sensitive data or performs critical functions, as an attacker could leverage the vulnerability to gain unauthorized access or control. Successful exploitation requires the user to be authenticated and actively interacting with the application when the malicious request is triggered.
Exploitation context for CVE-2025-64166 is currently limited. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available. The vulnerability's impact depends heavily on the specific functionality exposed by the Mercurius application and the sensitivity of the data it handles.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64166 is to upgrade to Mercurius version 16.4.0 or later, which includes the fix for the Content-Type parsing issue. If upgrading immediately is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive requests or implementing stricter Content-Type validation on the server-side. Web Application Firewalls (WAFs) configured to detect and block suspicious CSRF attacks can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to submit a request with a manipulated Content-Type header and verifying that it is properly rejected.
Update the Mercurius library to version 16.4.0 or higher. This version fixes the CSRF vulnerability caused by incorrect Content-Type header parsing. The update ensures requests are interpreted correctly and prevents potential attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64166 is a Cross-Site Request Forgery vulnerability in Mercurius versions before 16.4.0, caused by incorrect Content-Type header parsing, potentially allowing unauthorized actions.
You are affected if you are using Mercurius versions prior to 16.4.0. Assess your deployment and upgrade as soon as possible.
Upgrade to Mercurius version 16.4.0 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2025-64166, but the lack of public PoCs does not guarantee it is not being targeted.
Refer to the official Mercurius project website or security advisories for the latest information and updates regarding CVE-2025-64166.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.