diff --git a/src/utils/body.ts b/src/utils/body.ts
index c89aacb4..f8036b2e 100644
--- a/src/utils/body.ts
+++ b/src/utils/body.ts
@@ -134,7 +134,10 @@ export function readRawBody<E extends Encoding = "utf8">(
 
 /**
  * Reads request body and tries to safely parse using [destr](https://github.com/unjs/destr).
- *
+ * 
+ * Be aware that this utility is not restricted to `application/json` and will parse `application/x-www-form-urlencoded` content types. 
+ * Because of this, authenticated `GET`/`POST` handlers may be at risk of a [CSRF](https://owasp.org/www-community/attacks/csrf) attack, and must check the `content-type` header manually.
+ * 
  * @example
  * export default defineEventHandler(async (event) => {
  *   const body = await readBody(event);