Platform
nodejs
Component
@builder.io/qwik-city
Fixed in
1.19.1
1.19.0
CVE-2026-25151 describes a Cross-Site Request Forgery (CSRF) vulnerability within @builder.io/qwik-city, a server-side request handler. This flaw allows attackers to circumvent CSRF protections by exploiting inconsistent header interpretation. The vulnerability affects versions prior to 1.19.0, and a patch has been released. Users should immediately upgrade to the fixed version to prevent potential exploitation.
The core of the vulnerability lies in how Qwik City handles HTTP request headers. Specifically, it inconsistently interprets Content-Type headers, allowing attackers to craft malicious requests with malformed or multi-valued headers. Successful exploitation bypasses Origin-based CSRF checks, enabling attackers to submit unauthorized requests on behalf of authenticated users. This could lead to unauthorized data modification, account takeover, or other actions depending on the application's functionality. The attack's success hinges on the application accepting cross-origin requests or being accessed via non-browser clients where CORS preflight succeeds. While requiring a successful CORS preflight, the potential impact remains significant, especially in applications with sensitive data or critical operations.
CVE-2026-25151 was publicly disclosed on 2026-02-03. There is currently no known public proof-of-concept (POC) available, but the vulnerability's nature suggests a relatively low barrier to entry for exploitation once a POC is developed. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to @builder.io/qwik-city version 1.19.0 or later, which addresses the header parsing issue. If immediate upgrading is not feasible, consider implementing stricter Content-Type validation on the server-side to reject malformed or multi-valued headers. WAF rules can be configured to block requests with suspicious Content-Type headers. Additionally, ensure that CORS policies are configured to restrict cross-origin requests where possible, limiting the attack surface. Review and strengthen existing CSRF protection mechanisms to provide an additional layer of defense.
Update Qwik to version 1.19.0 or higher. This version contains a fix for the CSRF protection bypass vulnerability. The update will mitigate the risk of an attacker exploiting this vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25151 is a CSRF vulnerability in @builder.io/qwik-city versions before 1.19.0. Malformed Content-Type headers can bypass CSRF protections, allowing attackers to submit unauthorized requests.
You are affected if you are using @builder.io/qwik-city versions prior to 1.19.0 and your application accepts user input via forms and permits cross-origin requests.
Upgrade to @builder.io/qwik-city version 1.19.0 or later. Consider implementing stricter Content-Type validation and reviewing CORS policies.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official @builder.io security advisory for detailed information and updates regarding CVE-2026-25151.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.