GraphQL Security Flaw: HEAD Requests Bypass CSRF Protection Allowing Unauthorized Mutations

The video examines a GraphQL security vulnerability where GET requests, typically restricted to queries, bypass CSRF protection due to improper method handling. The issue arises because HEAD requests—automatically routed to the same function as GET requests—are not subjected to the same validation, allowing them to execute GraphQL mutations despite being intended for read-only operations. The flaw stems from an explicit check for GET methods that excludes HEAD requests, enabling attackers to craft malicious queries via URL parameters. The discussion references a similar GitHub report from a few years prior, highlighting the recurring nature of this misconfiguration. No specific tools or dates beyond the GitHub reference are mentioned. The key takeaway is that HEAD and GET requests must be uniformly restricted to prevent unauthorized data modification.