Plattform
nodejs
Komponente
@builder.io/qwik-city
Behoben in
1.19.1
1.19.0
CVE-2026-25151 describes a Cross-Site Request Forgery (CSRF) vulnerability within @builder.io/qwik-city, a server-side request handler. This flaw allows attackers to circumvent CSRF protections by exploiting inconsistent header interpretation. The vulnerability affects versions prior to 1.19.0, and a patch has been released. Users should immediately upgrade to the fixed version to prevent potential exploitation.
The core of the vulnerability lies in how Qwik City handles HTTP request headers. Specifically, it inconsistently interprets Content-Type headers, allowing attackers to craft malicious requests with malformed or multi-valued headers. Successful exploitation bypasses Origin-based CSRF checks, enabling attackers to submit unauthorized requests on behalf of authenticated users. This could lead to unauthorized data modification, account takeover, or other actions depending on the application's functionality. The attack's success hinges on the application accepting cross-origin requests or being accessed via non-browser clients where CORS preflight succeeds. While requiring a successful CORS preflight, the potential impact remains significant, especially in applications with sensitive data or critical operations.
CVE-2026-25151 was publicly disclosed on 2026-02-03. There is currently no known public proof-of-concept (POC) available, but the vulnerability's nature suggests a relatively low barrier to entry for exploitation once a POC is developed. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Applications built with @builder.io/qwik-city that accept user input via forms and permit cross-origin requests are particularly at risk. Shared hosting environments where multiple applications share the same server and resources could also be affected, as a compromised application could potentially impact others.
• nodejs / server:
ps aux | grep qwik-city
find / -name "@builder.io/qwik-city*" -type d• generic web:
curl -I https://your-app.com/some-form | grep Content-Type• generic web: Review access logs for requests with unusual or multi-valued Content-Type headers.
disclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to @builder.io/qwik-city version 1.19.0 or later, which addresses the header parsing issue. If immediate upgrading is not feasible, consider implementing stricter Content-Type validation on the server-side to reject malformed or multi-valued headers. WAF rules can be configured to block requests with suspicious Content-Type headers. Additionally, ensure that CORS policies are configured to restrict cross-origin requests where possible, limiting the attack surface. Review and strengthen existing CSRF protection mechanisms to provide an additional layer of defense.
Aktualisieren Sie Qwik auf Version 1.19.0 oder höher. Diese Version enthält eine Korrektur für die CSRF-Schutzumgehungsschwachstelle. Das Update mildert das Risiko, dass ein Angreifer diese Schwachstelle ausnutzt.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25151 is a CSRF vulnerability in @builder.io/qwik-city versions before 1.19.0. Malformed Content-Type headers can bypass CSRF protections, allowing attackers to submit unauthorized requests.
You are affected if you are using @builder.io/qwik-city versions prior to 1.19.0 and your application accepts user input via forms and permits cross-origin requests.
Upgrade to @builder.io/qwik-city version 1.19.0 or later. Consider implementing stricter Content-Type validation and reviewing CORS policies.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official @builder.io security advisory for detailed information and updates regarding CVE-2026-25151.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.