Description
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
Published: 2026-02-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

A typo in a regular expression used by Qwik’s CSRF protection middleware causes incorrect parsing of Content‑Type headers that contain parameters, such as multipart/form‑data. As a result, requests that would normally be rejected by the CSRF check can be accepted, allowing an attacker to perform unauthorized actions on behalf of an authenticated user. The weakness is a classic Cross‑Site Request Forgery (CWE‑352) flaw in request handling logic.

Affected Systems

The vulnerability affects the Qwik JavaScript framework distributed by QwikDev. All versions of Qwik prior to 1.12.0 are impacted. The issue is fixed in Qwik 1.12.0 and later releases.

Risk and Exploitability

The CVSS base score is 5.9, indicating medium severity. EPSS is less than 1%, pointing to a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited exploitation. The likely attack vector requires an attacker to successfully craft a cross‑site request that targets a state‑changing endpoint and includes a Content‑Type header with parameters; successful exploitation would allow the attacker to execute actions without the victim’s consent.

Generated by OpenCVE AI on April 18, 2026 at 00:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Qwik to version 1.12.0 or later.
  • Verify that the CSRF protection middleware is enabled for all endpoints that accept mutable requests.
  • Implement server‑side validation of the Content‑Type header to reject malformed headers before processing the request.

Generated by OpenCVE AI on April 18, 2026 at 00:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vm6g-8r4h-22x8 Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
History

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwik
Qwik qwik
CPEs cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*
Vendors & Products Qwik
Qwik qwik

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwikdev
Qwikdev qwik
Vendors & Products Qwikdev
Qwikdev qwik

Tue, 03 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
Title [qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Qwik Qwik
Qwikdev Qwik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:59:56.030Z

Reserved: 2026-01-29T15:39:11.822Z

Link: CVE-2026-25155

cve-icon Vulnrichment

Updated: 2026-02-04T16:59:52.514Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T22:16:30.987

Modified: 2026-02-10T20:07:58.410

Link: CVE-2026-25155

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses