Plataforma
nodejs
Componente
@builder.io/qwik-city
Corregido en
1.12.1
1.12.0
CVE-2026-25155 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in @builder.io/qwik-city. This flaw stems from a typographical error within the regular expression used to parse Content-Type headers, leading to incorrect parsing. Successful exploitation could allow an attacker to bypass Qwik City’s Origin-based CSRF protections, potentially resulting in unauthorized state modifications. This vulnerability affects versions prior to 1.12.0, and a fix has been released.
The primary impact of CVE-2026-25155 is the circumvention of Qwik City's CSRF protections. An attacker could craft malicious requests that appear to originate from a legitimate user, tricking the application into performing actions on their behalf. This could include modifying user profiles, creating new accounts, or executing other sensitive operations. The blast radius is limited to the functionality exposed through Qwik City forms and actions, but the potential for unauthorized data manipulation and account takeover is significant. This vulnerability highlights the importance of robust input validation and proper header parsing in web applications.
CVE-2026-25155 was publicly disclosed on 2026-02-03. There is currently no indication of active exploitation or a KEV listing. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's relatively simple nature suggests that PoCs could emerge quickly, so vigilance is advised.
Applications built with @builder.io/qwik-city and using its Origin-based CSRF protection mechanisms are at risk. This includes projects relying on Qwik City for form handling and state management. Shared hosting environments where multiple applications share the same server resources could also be indirectly affected if one application is compromised.
• nodejs / server: Examine application logs for unusual form submissions or requests with unexpected Content-Type headers. Use lsof or ss to monitor for suspicious network connections originating from the Qwik City process.
lsof -i :3000 | grep -i qwik• generic web: Monitor access logs for requests with manipulated Content-Type headers. Inspect response headers for unexpected behavior after form submissions.
grep -i "Content-Type: application/x-www-form-urlencoded" /var/log/nginx/access.logdisclosure
Estado del Exploit
EPSS
0.01% (0% percentil)
CISA SSVC
Vector CVSS
The recommended mitigation for CVE-2026-25155 is to immediately upgrade to @builder.io/qwik-city version 1.12.0 or later. This version contains a corrected regular expression that properly parses Content-Type headers, effectively preventing the CSRF bypass. If upgrading is not immediately feasible, consider implementing stricter Origin checks in your application code to further reinforce CSRF protection. While not a complete solution, this can provide an additional layer of defense. Review and validate all form submissions to ensure they originate from trusted sources. After upgrading, confirm the fix by attempting to submit a forged form request and verifying that the Origin check is enforced.
Actualice Qwik a la versión 1.12.0 o superior. Esta versión corrige la vulnerabilidad CSRF al parsear correctamente los encabezados Content-Type. La actualización asegura que el middleware de protección CSRF funcione como se espera, protegiendo contra ataques de falsificación de solicitudes entre sitios.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-25155 is a CSRF vulnerability in @builder.io/qwik-city versions before 1.12.0 caused by a typo in Content-Type header parsing, allowing attackers to bypass CSRF protections.
You are affected if you are using @builder.io/qwik-city versions prior to 1.12.0 and rely on its Origin-based CSRF protections.
Upgrade to @builder.io/qwik-city version 1.12.0 or later to resolve the vulnerability. Consider adding stricter Origin checks as an additional precaution.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests potential for future exploitation.
Refer to the official @builder.io security advisory for detailed information and updates: [https://www.builder.io/security/advisories](https://www.builder.io/security/advisories)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.