Platform
nodejs
Component
@builder.io/qwik-city
Fixed in
1.12.1
1.12.0
CVE-2026-25155 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in @builder.io/qwik-city. This flaw stems from a typographical error within the regular expression used to parse Content-Type headers, leading to incorrect parsing. Successful exploitation could allow an attacker to bypass Qwik City’s Origin-based CSRF protections, potentially resulting in unauthorized state modifications. This vulnerability affects versions prior to 1.12.0, and a fix has been released.
The primary impact of CVE-2026-25155 is the circumvention of Qwik City's CSRF protections. An attacker could craft malicious requests that appear to originate from a legitimate user, tricking the application into performing actions on their behalf. This could include modifying user profiles, creating new accounts, or executing other sensitive operations. The blast radius is limited to the functionality exposed through Qwik City forms and actions, but the potential for unauthorized data manipulation and account takeover is significant. This vulnerability highlights the importance of robust input validation and proper header parsing in web applications.
CVE-2026-25155 was publicly disclosed on 2026-02-03. There is currently no indication of active exploitation or a KEV listing. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's relatively simple nature suggests that PoCs could emerge quickly, so vigilance is advised.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-25155 is to immediately upgrade to @builder.io/qwik-city version 1.12.0 or later. This version contains a corrected regular expression that properly parses Content-Type headers, effectively preventing the CSRF bypass. If upgrading is not immediately feasible, consider implementing stricter Origin checks in your application code to further reinforce CSRF protection. While not a complete solution, this can provide an additional layer of defense. Review and validate all form submissions to ensure they originate from trusted sources. After upgrading, confirm the fix by attempting to submit a forged form request and verifying that the Origin check is enforced.
Update Qwik to version 1.12.0 or higher. This version fixes the CSRF vulnerability by correctly parsing Content-Type headers. The update ensures that the CSRF protection middleware functions as expected, protecting against cross-site request forgery attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25155 is a CSRF vulnerability in @builder.io/qwik-city versions before 1.12.0 caused by a typo in Content-Type header parsing, allowing attackers to bypass CSRF protections.
You are affected if you are using @builder.io/qwik-city versions prior to 1.12.0 and rely on its Origin-based CSRF protections.
Upgrade to @builder.io/qwik-city version 1.12.0 or later to resolve the vulnerability. Consider adding stricter Origin checks as an additional precaution.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests potential for future exploitation.
Refer to the official @builder.io security advisory for detailed information and updates: [https://www.builder.io/security/advisories](https://www.builder.io/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.