Platform
nodejs
Component
mercurius
Opgelost in
16.4.1
16.4.0
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Mercurius versions prior to 16.4.0. This issue stems from a flaw in how the application parses the Content-Type header, potentially leading to unauthorized actions being performed on behalf of authenticated users. The vulnerability was published on 2026-03-05 and a fix is available in version 16.4.0.
The CSRF vulnerability in Mercurius allows an attacker to craft malicious requests that appear to originate from a legitimate user. By exploiting this flaw, an attacker could potentially perform actions such as modifying data, changing user settings, or executing unintended operations within the application. The impact is amplified if the application handles sensitive data or performs critical functions, as an attacker could leverage the vulnerability to gain unauthorized access or control. Successful exploitation requires the user to be authenticated and actively interacting with the application when the malicious request is triggered.
Exploitation context for CVE-2025-64166 is currently limited. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available. The vulnerability's impact depends heavily on the specific functionality exposed by the Mercurius application and the sensitivity of the data it handles.
Organizations and individuals using Mercurius in production environments, particularly those handling sensitive data or providing critical services, are at risk. Applications with weak CSRF protection or those relying on implicit trust in user-supplied data are especially vulnerable.
• nodejs / server: Monitor application logs for unusual requests with unexpected Content-Type headers (e.g., application/x-www-form-urlencoded when application/json is expected).
grep 'Content-Type: application/x-www-form-urlencoded' /var/log/mercurius/access.log• generic web: Use curl to test endpoints with manipulated Content-Type headers and observe the application's response.
curl -H "Content-Type: application/x-www-form-urlencoded" https://your-mercurius-app/sensitive-endpointdisclosure
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-64166 is to upgrade to Mercurius version 16.4.0 or later, which includes the fix for the Content-Type parsing issue. If upgrading immediately is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive requests or implementing stricter Content-Type validation on the server-side. Web Application Firewalls (WAFs) configured to detect and block suspicious CSRF attacks can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to submit a request with a manipulated Content-Type header and verifying that it is properly rejected.
Werk de Mercurius bibliotheek bij naar versie 16.4.0 of hoger. Deze versie corrigeert de CSRF kwetsbaarheid veroorzaakt door de incorrecte parsing van de Content-Type header. De update zorgt ervoor dat verzoeken correct worden geïnterpreteerd en voorkomt mogelijke aanvallen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-64166 is a Cross-Site Request Forgery vulnerability in Mercurius versions before 16.4.0, caused by incorrect Content-Type header parsing, potentially allowing unauthorized actions.
You are affected if you are using Mercurius versions prior to 16.4.0. Assess your deployment and upgrade as soon as possible.
Upgrade to Mercurius version 16.4.0 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2025-64166, but the lack of public PoCs does not guarantee it is not being targeted.
Refer to the official Mercurius project website or security advisories for the latest information and updates regarding CVE-2025-64166.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.