641 matches found
CVE-2026-30241
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...
CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2026-3419
Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1https://httpwg.org/specs/rfc9110.htmlfield.content-type. For example, a request sent with Content-Type: application/json garbage passes validation and ...
CVE-2026-3419
Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1https://httpwg.org/specs/rfc9110.htmlfield.content-type. For example, a request sent with Content-Type: application/json garbage passes validation and ...
CVE-2026-3419 Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1https://httpwg.org/specs/rfc9110.htmlfield.content-type. For example, a request sent with Content-Type: application/json garbage passes validation and ...
CVE-2026-3419
CVE-2026-3419 (Fastify) : A flaw allows RFC-invalid Content-Type headers with trailing characters to bypass validation and reach content-type parsers, potentially causing misinterpretation of requests. This affects Fastify's handling of Content-Type header parsing, including regex-based parsers, ...
Fastify 安全漏洞
Fastify is an open-source web framework developed by Fastify. There is a security vulnerability in Fastify, which stems from incorrectly accepting format-errors Content-Type headers. This could allow attackers to send requests that bypass validations and be processed by the server...
PT-2026-23759
Name of the Vulnerable Software and Affected Versions Mercurius versions prior to 16.8.0 Description Mercurius does not properly enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check functions as expected for HTTP queries and...
@amedia/brick-mcp (>=0.0.0-vSNAPSHOT-20260217144000 <=1.0.0), @area15/ticket-component (=0.1.0) +108 more potentially affected by CVE-2026-3419 via fastify (>=5.7.2 <=5.7.4)
fastify NPM version =5.7.2, =0.0.0-vSNAPSHOT-20260217144000, =0.5.2, =0.5.2, =0.5.2, =0.5.2, =0.2.11, =2.4.2-next.143, =2.4.2-next.143, =2.4.2-next.143, =2.4.2-next.143, =2.11.6, =5.1.19, =2.21.2, =2.21.2, =2.21.3 and more Source cves: CVE-2026-3419 Source advisory: SNYK:JS-FASTIFY-15428269...
@amedia/brick-mcp (>=0.0.0-vSNAPSHOT-20260217144000 <=1.0.0), @area15/ticket-component (=0.1.0) +108 more potentially affected by CVE-2026-3419 via fastify (>=5.7.2 <=5.7.4)
fastify NPM version =5.7.2, =0.0.0-vSNAPSHOT-20260217144000, =0.5.2, =0.5.2, =0.5.2, =0.5.2, =0.2.11, =2.4.2-next.143, =2.4.2-next.143, =2.4.2-next.143, =2.4.2-next.143, =2.11.6, =5.1.19, =2.21.2, =2.21.2, =2.21.3 and more Source cves: CVE-2026-3419 Source advisory: OSV:GHSA-573F-X89G-HQP9...
GHSA-573F-X89G-HQP9 Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Description Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being...
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Description Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being...
EUVD-2025-208313
Mercurius: Incorrect Content-Type parsing can lead to CSRF attack...
Cross-site Request Forgery (CSRF)
Overview mercurius is a GraphQL adapter for Fastify Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to incorrect parsing of the Content-Type header. An attacker can perform unauthorized actions on behalf of an authenticated user by sending specially crafted...
GHSA-V66J-6WWF-JC57 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Summary A Cross-Site Request Forgery CSRF vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2025-64166 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2025-64166
Mercurius (GraphQL adapter for Fastify) has a CSRF flaw prior to v16.4.0 caused by incorrect parsing of Content-Type headers. Requests with Content-Type like application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json, bypassing fetch() prefli...
PT-2026-23452
Name of the Vulnerable Software and Affected Versions Mercurius versions prior to 16.4.0 Description Mercurius, a GraphQL adapter for Fastify, was found to have a cross-site request forgery CSRF issue. The problem stems from the incorrect parsing of the Content-Type header in requests...