Description
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
Published: 2026-03-03
Score: 9.2 Critical
EPSS: 30.0% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from unsafe deserialization in Qwik’s server$ RPC mechanism. A single HTTP request can cause an attacker to execute arbitrary code on the server, granting full remote code execution. This flaw corresponds to CWE‑502 (Deserialization of Untrusted Data).

Affected Systems

QwikDev’s Qwik framework versions 1.19.0 and earlier are affected. The issue occurs in deployments that run Qwik within a Node.js environment where the require() function is available at runtime. The fix is available in Qwik 1.19.1 and later releases.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity. With an EPSS of 30%, the likelihood of exploitation is high. Although not yet listed in the CISA KEV catalog, the flaw’s unfiltered access path—any HTTP request to a server$ RPC endpoint—provides a straightforward attack vector. Successful exploitation would allow an attacker to run arbitrary code with the permissions of the Qwik process, potentially compromising the underlying operating system and data.

Generated by OpenCVE AI on April 16, 2026 at 13:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Qwik to version 1.19.1 or newer, which removes the unsafe deserialization path.
  • If an upgrade is not immediately possible, restrict network exposure of the server$ RPC endpoint, allowing traffic only from trusted sources.
  • Disable or remove the use of require() at runtime where feasible, mitigating the deserialization vector.
  • Enable runtime security measures such as Node.js process isolation or container hardening to limit the impact if code execution occurs.

Generated by OpenCVE AI on April 16, 2026 at 13:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9x5-jp3h-96mm Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
History

Thu, 05 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Qwik
Qwik qwik
CPEs cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*
Vendors & Products Qwik
Qwik qwik
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Qwikdev
Qwikdev qwik
Vendors & Products Qwikdev
Qwikdev qwik

Tue, 03 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
Title Qwik affected by unauthenticated RCE via server$ Deserialization
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Qwik Qwik
Qwikdev Qwik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:05:45.401Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27971

cve-icon Vulnrichment

Updated: 2026-03-04T16:05:39.747Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:56.227

Modified: 2026-03-05T17:57:37.233

Link: CVE-2026-27971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses