CVE-2026-25155
published 2026-02-03CVE-2026-25155: Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of…
PriorityP432high7.1CVSS 3.1
AVNACLPRNUIRSUCLIHAN
EPSS
0.13%
2.9th percentile
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| builder.io | qwik-city | >= 0 < 1.12.0 | 1.12.0 |
| qwik | qwik | < 1.12.0 | 1.12.0 |
| qwikdev | qwik | < 1.12.0 | 1.12.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
osv·2026-02-03
CVE-2026-25155 [MEDIUM] Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
### Summary
A typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers.
### Impact
An attacker can bypass Qwik City’s Origin-based CSRF protections and perform forged form submissions, potentially causing unauthorized state changes.
GHSA
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
ghsa·2026-02-03
CVE-2026-25155 [MEDIUM] CWE-352 Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
### Summary
A typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers.
### Impact
An attacker can bypass Qwik City’s Origin-based CSRF protections and perform forged form submissions, potentially causing unauthorized state changes.
No detection rules found.
No public exploits indexed.
2026-02-03
Published