Description
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via type confusion
Action: Immediate Patch
AI Analysis

Impact

Qwik transforms dotted form field names into nested structures when parsing application/x‑form‑urlencoded or multipart/form‑data. Before version 1.19.2 it treated any path that included an index as an array, regardless of whether additional non‑index keys were present on the same path. An attacker could submit a mix of index keys (e.g., items.0, items.1) and object‑property keys (e.g., items.toString, items.push, items.length). Because the framework expected an array, it overwrote array elements with these user‑controlled properties, causing the resulting value to no longer be an array. This leads to type confusion and is what CWE‑1321 describes—manipulation of object properties to break expected invariants—and CWE‑843, which concerns improper type conversion allowing malicious input to be treated as a different type.

Affected Systems

The vulnerability affects QwikDev’s Qwik framework. Any installation of Qwik prior to version 1.19.2 is vulnerable. Qwik is commonly used in Node.js‑based server or edge rendering contexts, so any deployment that processes form data through this framework is at risk. The issue was addressed in commit 7b5867c3dd8925df9aa96c4296b1e95a4c2af87d and is fixed in version 1.19.2 and later releases.

Risk and Exploitability

CVSS score 7.5 indicates moderate‑to‑high severity, but the EPSS score is under 1 %, suggesting current exploitation in the wild is unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft a web request containing malformed form‑data or URL‑encoded payload that mixes array indices with object‑property keys on the same field name. If input validation is absent, the altered data can cause request handlers to fail, terminate prematurely, or allocate excessive memory, which can be leveraged for a denial‑of‑service attack or to destabilize downstream business logic.

Generated by OpenCVE AI on March 23, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Qwik to version 1.19.2 or later.
  • If an upgrade is not immediately possible, validate and sanitize incoming form data to reject mixed array‑index and object‑property keys on the same path.
  • Apply strict server‑side type checks on any data structures that originate from form inputs to guard against unexpected type coercion.
  • Monitor application logs for unusual request patterns that include keys such as items.toString, items.push, or items.length.

Generated by OpenCVE AI on March 23, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-whhv-gg5v-864r Qwik City has array method pollution in FormData processing allows type confusion and DoS
History

Mon, 23 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Qwik
Qwik qwik
CPEs cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*
Vendors & Products Qwik
Qwik qwik

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Qwikdev
Qwikdev qwik
Vendors & Products Qwikdev
Qwikdev qwik

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.
Title Qwik has array method pollution in FormData processing, allowing type confusion and DoS
Weaknesses CWE-1321
CWE-843
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Qwik Qwik
Qwikdev Qwik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T12:07:39.151Z

Reserved: 2026-03-13T14:33:42.823Z

Link: CVE-2026-32701

cve-icon Vulnrichment

Updated: 2026-03-20T12:07:11.258Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:14.520

Modified: 2026-03-23T15:30:54.460

Link: CVE-2026-32701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:46Z

Weaknesses