Plataforma
nodejs
Componente
@builder.io/qwik-city
Corregido en
1.19.1
1.19.0
CVE-2026-25151 describes a Cross-Site Request Forgery (CSRF) vulnerability within @builder.io/qwik-city, a server-side request handler. This flaw allows attackers to circumvent CSRF protections by exploiting inconsistent header interpretation. The vulnerability affects versions prior to 1.19.0, and a patch has been released. Users should immediately upgrade to the fixed version to prevent potential exploitation.
The core of the vulnerability lies in how Qwik City handles HTTP request headers. Specifically, it inconsistently interprets Content-Type headers, allowing attackers to craft malicious requests with malformed or multi-valued headers. Successful exploitation bypasses Origin-based CSRF checks, enabling attackers to submit unauthorized requests on behalf of authenticated users. This could lead to unauthorized data modification, account takeover, or other actions depending on the application's functionality. The attack's success hinges on the application accepting cross-origin requests or being accessed via non-browser clients where CORS preflight succeeds. While requiring a successful CORS preflight, the potential impact remains significant, especially in applications with sensitive data or critical operations.
CVE-2026-25151 was publicly disclosed on 2026-02-03. There is currently no known public proof-of-concept (POC) available, but the vulnerability's nature suggests a relatively low barrier to entry for exploitation once a POC is developed. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Applications built with @builder.io/qwik-city that accept user input via forms and permit cross-origin requests are particularly at risk. Shared hosting environments where multiple applications share the same server and resources could also be affected, as a compromised application could potentially impact others.
• nodejs / server:
ps aux | grep qwik-city
find / -name "@builder.io/qwik-city*" -type d• generic web:
curl -I https://your-app.com/some-form | grep Content-Type• generic web: Review access logs for requests with unusual or multi-valued Content-Type headers.
disclosure
Estado del Exploit
EPSS
0.01% (1% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade to @builder.io/qwik-city version 1.19.0 or later, which addresses the header parsing issue. If immediate upgrading is not feasible, consider implementing stricter Content-Type validation on the server-side to reject malformed or multi-valued headers. WAF rules can be configured to block requests with suspicious Content-Type headers. Additionally, ensure that CORS policies are configured to restrict cross-origin requests where possible, limiting the attack surface. Review and strengthen existing CSRF protection mechanisms to provide an additional layer of defense.
Actualice Qwik a la versión 1.19.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de omisión de protección CSRF. La actualización mitigará el riesgo de que un atacante explote esta vulnerabilidad.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-25151 is a CSRF vulnerability in @builder.io/qwik-city versions before 1.19.0. Malformed Content-Type headers can bypass CSRF protections, allowing attackers to submit unauthorized requests.
You are affected if you are using @builder.io/qwik-city versions prior to 1.19.0 and your application accepts user input via forms and permits cross-origin requests.
Upgrade to @builder.io/qwik-city version 1.19.0 or later. Consider implementing stricter Content-Type validation and reviewing CORS policies.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official @builder.io security advisory for detailed information and updates regarding CVE-2026-25151.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.