Plateforme
nodejs
Composant
@builder.io/qwik-city
Corrigé dans
1.19.1
1.19.0
CVE-2026-25151 describes a Cross-Site Request Forgery (CSRF) vulnerability within @builder.io/qwik-city, a server-side request handler. This flaw allows attackers to circumvent CSRF protections by exploiting inconsistent header interpretation. The vulnerability affects versions prior to 1.19.0, and a patch has been released. Users should immediately upgrade to the fixed version to prevent potential exploitation.
The core of the vulnerability lies in how Qwik City handles HTTP request headers. Specifically, it inconsistently interprets Content-Type headers, allowing attackers to craft malicious requests with malformed or multi-valued headers. Successful exploitation bypasses Origin-based CSRF checks, enabling attackers to submit unauthorized requests on behalf of authenticated users. This could lead to unauthorized data modification, account takeover, or other actions depending on the application's functionality. The attack's success hinges on the application accepting cross-origin requests or being accessed via non-browser clients where CORS preflight succeeds. While requiring a successful CORS preflight, the potential impact remains significant, especially in applications with sensitive data or critical operations.
CVE-2026-25151 was publicly disclosed on 2026-02-03. There is currently no known public proof-of-concept (POC) available, but the vulnerability's nature suggests a relatively low barrier to entry for exploitation once a POC is developed. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Applications built with @builder.io/qwik-city that accept user input via forms and permit cross-origin requests are particularly at risk. Shared hosting environments where multiple applications share the same server and resources could also be affected, as a compromised application could potentially impact others.
• nodejs / server:
ps aux | grep qwik-city
find / -name "@builder.io/qwik-city*" -type d• generic web:
curl -I https://your-app.com/some-form | grep Content-Type• generic web: Review access logs for requests with unusual or multi-valued Content-Type headers.
disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 1%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to @builder.io/qwik-city version 1.19.0 or later, which addresses the header parsing issue. If immediate upgrading is not feasible, consider implementing stricter Content-Type validation on the server-side to reject malformed or multi-valued headers. WAF rules can be configured to block requests with suspicious Content-Type headers. Additionally, ensure that CORS policies are configured to restrict cross-origin requests where possible, limiting the attack surface. Review and strengthen existing CSRF protection mechanisms to provide an additional layer of defense.
Mettez à jour Qwik à la version 1.19.0 ou supérieure. Cette version contient une correction pour la vulnérabilité de contournement de la protection CSRF. La mise à jour atténuera le risque qu'un attaquant exploite cette vulnérabilité.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25151 is a CSRF vulnerability in @builder.io/qwik-city versions before 1.19.0. Malformed Content-Type headers can bypass CSRF protections, allowing attackers to submit unauthorized requests.
You are affected if you are using @builder.io/qwik-city versions prior to 1.19.0 and your application accepts user input via forms and permits cross-origin requests.
Upgrade to @builder.io/qwik-city version 1.19.0 or later. Consider implementing stricter Content-Type validation and reviewing CORS policies.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official @builder.io security advisory for detailed information and updates regarding CVE-2026-25151.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.