Description
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
Published: 2026-02-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSRF Protection Bypass
Action: Apply patch
AI Analysis

Impact

A flaw in Qwik City’s server‑side request handling allows an attacker to manipulate the Content‑Type header in such a way that the platform cannot reliably detect a legitimate form submission. This inconsistent interpretation can be exploited to bypass established CSRF protections and carry out unauthorized actions on behalf of an authenticated user. The vulnerability is specifically tied to a type of cross‑site request forgery weakness.

Affected Systems

Qwik City implementations that use any QwikDev product prior to version 1.19.0 are vulnerable. The affected product – the Qwik framework – is distributed by QwikDev and is used in Node.js environments.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate risk, while the EPSS score of less than 1% shows a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable code remotely by crafting HTTP requests with aberrant or multi‑valued Content‑Type headers; no special network or system access is required beyond standard web traffic.

Generated by OpenCVE AI on April 18, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Qwik to version 1.19.0 or later, which includes the fix for header validation issues.
  • Configure the application to enforce strict single‑valued Content‑Type header checks, rejecting requests that contain repeated or unexpected header values.
  • Deploy a web‑application firewall or reverse proxy to monitor and block requests using suspicious Content‑Type header patterns before they reach the Qwik server.

Generated by OpenCVE AI on April 18, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r666-8gjf-4v5f Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
History

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwik
Qwik qwik
CPEs cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*
Vendors & Products Qwik
Qwik qwik

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwikdev
Qwikdev qwik
Vendors & Products Qwikdev
Qwikdev qwik

Tue, 03 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
Title Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Qwik Qwik
Qwikdev Qwik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:59:15.226Z

Reserved: 2026-01-29T15:39:11.821Z

Link: CVE-2026-25151

cve-icon Vulnrichment

Updated: 2026-02-04T16:59:11.327Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T22:16:30.840

Modified: 2026-02-10T20:08:58.790

Link: CVE-2026-25151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses