Description
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.
Published: 2026-02-03
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution enabling privilege escalation, authentication bypass, or denial of service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a prototype‑pollution flaw in the Qwik framework's formToObj() function, which processes form field names with dot notation. It does not sanitize dangerous property names such as __proto__, constructor, or prototype, allowing an unauthenticated attacker to inject crafted HTTP POST requests that modify Object.prototype. This can lead to privilege escalation, authentication bypass, or denial of service by compromising application logic or affecting other objects.

Affected Systems

The flaw affects QwikDev's Qwik framework, specifically the @builder.io/qwik-city middleware. Any instance running a version prior to 1.19.0 is vulnerable. Users employing older Qwik releases in production should verify if their code imports and uses this middleware.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating a high severity level. The EPSS score is below 1%, implying a low current exploitation probability. It is not listed in the CISA KEV catalog, so no known widespread exploitation has been reported. Attackers can exploit the issue remotely by sending arbitrary HTTP POST requests to endpoints that invoke formToObj(), without authentication. Successful exploitation could compromise application integrity or availability, and in multi‑tenant environments could allow attackers to elevate privileges or break authentication flows.

Generated by OpenCVE AI on April 18, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade The Qwik framework to version 1.19.0 or later, which applies the fix for the formToObj() prototype‑pollution issue.
  • If upgrading is not immediately possible, apply the patch found in the GitHub commit 5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7 or merge the corresponding changes to sanitize __proto__, constructor, and prototype keys.
  • Limit or disable the use of the @builder.io/qwik-city middleware on publicly exposed routes, or restrict POST requests via access controls or rate limiting to reduce the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xqg6-98cw-gxhq Prototype Pollution via FormData Processing in Qwik City
History

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwik
Qwik qwik
CPEs cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*
Vendors & Products Qwik
Qwik qwik

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwikdev
Qwikdev qwik
Vendors & Products Qwikdev
Qwikdev qwik

Tue, 03 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.
Title Prototype Pollution via FormData Processing in Qwik City
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L'}

Subscriptions

Qwik Qwik
Qwikdev Qwik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:31:46.643Z

Reserved: 2026-01-29T15:39:11.821Z

Link: CVE-2026-25150

cve-icon Vulnrichment

Updated: 2026-02-04T16:31:43.188Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T22:16:30.690

Modified: 2026-02-10T20:10:16.513

Link: CVE-2026-25150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses