CVE-2026-25151
published 2026-02-03CVE-2026-25151: Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request…
PriorityP434medium5.9CVSS 3.1
AVNACHPRNUIRSUCLIHAN
EPSS
0.16%
5.5th percentile
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| builder.io | qwik-city | >= 0 < 1.19.0 | 1.19.0 |
| qwik | qwik | < 1.19.0 | 1.19.0 |
| qwikdev | qwik | < 1.19.0 | 1.19.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
ghsa·2026-02-03
CVE-2026-25151 [MEDIUM] CWE-352 Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
### Summary
Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.
### Impact
A vulnerability in checkCSRF lets an attacker bypass Origin-based CSRF checks by using malformed or multi-valued Content-Type headers. Exploitation requires the CORS preflight to succeed (so it’s blocked if preflight is denied) and is possible when the application accepts cross-origin requests or via non-browser clients. Impact varies with server CORS and cookie policies and may enable unauthorized state changes.
OSV
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
osv·2026-02-03
CVE-2026-25151 [MEDIUM] Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
### Summary
Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.
### Impact
A vulnerability in checkCSRF lets an attacker bypass Origin-based CSRF checks by using malformed or multi-valued Content-Type headers. Exploitation requires the CORS preflight to succeed (so it’s blocked if preflight is denied) and is possible when the application accepts cross-origin requests or via non-browser clients. Impact varies with server CORS and cookie policies and may enable unauthorized state changes.
No detection rules found.
No public exploits indexed.
2026-02-03
Published