プラットフォーム
nodejs
コンポーネント
mercurius
修正版
16.4.1
16.4.0
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Mercurius versions prior to 16.4.0. This issue stems from a flaw in how the application parses the Content-Type header, potentially leading to unauthorized actions being performed on behalf of authenticated users. The vulnerability was published on 2026-03-05 and a fix is available in version 16.4.0.
The CSRF vulnerability in Mercurius allows an attacker to craft malicious requests that appear to originate from a legitimate user. By exploiting this flaw, an attacker could potentially perform actions such as modifying data, changing user settings, or executing unintended operations within the application. The impact is amplified if the application handles sensitive data or performs critical functions, as an attacker could leverage the vulnerability to gain unauthorized access or control. Successful exploitation requires the user to be authenticated and actively interacting with the application when the malicious request is triggered.
Exploitation context for CVE-2025-64166 is currently limited. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available. The vulnerability's impact depends heavily on the specific functionality exposed by the Mercurius application and the sensitivity of the data it handles.
Organizations and individuals using Mercurius in production environments, particularly those handling sensitive data or providing critical services, are at risk. Applications with weak CSRF protection or those relying on implicit trust in user-supplied data are especially vulnerable.
• nodejs / server: Monitor application logs for unusual requests with unexpected Content-Type headers (e.g., application/x-www-form-urlencoded when application/json is expected).
grep 'Content-Type: application/x-www-form-urlencoded' /var/log/mercurius/access.log• generic web: Use curl to test endpoints with manipulated Content-Type headers and observe the application's response.
curl -H "Content-Type: application/x-www-form-urlencoded" https://your-mercurius-app/sensitive-endpointdisclosure
エクスプロイト状況
EPSS
0.01% (0% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-64166 is to upgrade to Mercurius version 16.4.0 or later, which includes the fix for the Content-Type parsing issue. If upgrading immediately is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive requests or implementing stricter Content-Type validation on the server-side. Web Application Firewalls (WAFs) configured to detect and block suspicious CSRF attacks can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to submit a request with a manipulated Content-Type header and verifying that it is properly rejected.
Mercurius ライブラリをバージョン 16.4.0 以降にアップデートしてください。このバージョンでは、Content-Type ヘッダーの誤った解析によって引き起こされる CSRF 脆弱性が修正されています。アップデートにより、リクエストが正しく解釈され、潜在的な攻撃を防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-64166 is a Cross-Site Request Forgery vulnerability in Mercurius versions before 16.4.0, caused by incorrect Content-Type header parsing, potentially allowing unauthorized actions.
You are affected if you are using Mercurius versions prior to 16.4.0. Assess your deployment and upgrade as soon as possible.
Upgrade to Mercurius version 16.4.0 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2025-64166, but the lack of public PoCs does not guarantee it is not being targeted.
Refer to the official Mercurius project website or security advisories for the latest information and updates regarding CVE-2025-64166.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。