VULNERABILITY DETAILS
When making a Cross-Origin XMLHttpRequest POST request that has 'withCredentials' set to true as well as 'Content-Type: application/json', Google Chrome fails to interpret the server's Access-Control-Request-Methods header in its response to the Preflight request. That is, Google Chrome will send a subsequent 'POST' request EVEN IF the server responds with 'Access-Control-Request-Methods: GET' in its response to the browser's Preflight.

VERSION
Chrome Version: 54.0.2840.99 m + stable
Operating System: Windows 7 SP1

REPRODUCTION CASE
Let's say that our server responds like so to an OPTIONS preflight request:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin,Accept,Content-Type,...
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: <some origin>
Access-Control-Expose-Headers: Range
Access-Control-Max-Age: 3600

The below JavaScript that will make Google Chrome create an XMLHttpRequest that I believe SHOULD fail:
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://some-domain-that-supports-cors');
xhr.withCredentials = true;
xhr.setRequestHeader('content-type','application/json');
xhr.send(JSON.stringify({'test':'payload'});