birkir prime GraphQL GET-Based CSRF (CVE-2025-15550)

Author: Beatriz Fresno Naumova (beafn28), NinjaGPT

Date: 29/01/2026

Vendor: birkir

Product: prime

Versions affected: ≤ 0.4.0.beta.0

Component: GraphQL endpoint (GET-based query handling)

CWE: CWE-352 – Cross-Site Request Forgery (CSRF)

Attack type: Remote

Impact: Cross-Site Request Forgery (CSRF)

Description

birkir prime versions up to and including 0.4.0.beta.0 are affected by a Cross-Site Request Forgery (CSRF) vulnerability in the GraphQL endpoint.

The application allows GraphQL queries to be executed via HTTP GET requests, which can be triggered automatically by a victim’s browser. Due to the absence of proper CSRF protections, attackers can craft malicious GET requests containing GraphQL queries and force authenticated users to unknowingly execute them.

This behavior enables attackers to abuse the victim’s authenticated session to perform unauthorized actions by manipulating GraphQL query parameters.

Impact

Primary impact

Execution of unauthorized GraphQL queries in the context of an authenticated user.

Consequences

Unauthorized state-changing actions
Abuse of privileged GraphQL functionality
Potential data modification or exposure
Violation of application trust boundaries

PoC

curl -X GET -H "User-Agent: XXX" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" -d '' 'http://IP:PORT/graphql?query=query+cop+%7B__typename%7D'

CVSS Details

CVSS v4.0 Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Base Score: 5.1 (Medium)

Solution

No official fix was available at the time of disclosure.

Recommendation

Disable execution of GraphQL queries via HTTP GET.
Enforce CSRF protection mechanisms for all GraphQL operations.
Require POST requests with valid CSRF tokens for state-changing queries.
Apply strict origin and same-site cookie policies.

Mitigation

Restrict GraphQL endpoints to accept POST requests only.
Implement CSRF tokens or double-submit cookie mechanisms.
Review GraphQL resolvers to ensure proper authorization checks.
Regularly audit GraphQL endpoints for unintended behaviors.

Discoverer

Beatriz Fresno Naumova (beafn28)
NinjaGPT

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-15550
VulnCheck: https://www.vulncheck.com/advisories/birkir-prime-beta-cross-site-request-forgery-in-graphql
Prime: https://github.com/birkir/prime/

PreviousPoC - CVE-2025-10327 (RPi-Jukebox-RFID 2.8.0) – Remote Command Execution NextFluentCMS Stored XSS via SVG Upload in File Management (CVE-2025-15549)

Last updated 27 minutes ago

hashtagDescription

hashtagImpact

hashtagPrimary impact

hashtagConsequences

hashtagPoC

hashtagCVSS Details

hashtagCVSS v4.0 Vector

hashtagSolution

hashtagRecommendation

hashtagMitigation

hashtagDiscoverer

hashtagReferences