平台
nodejs
组件
@builder.io/qwik-city
修复版本
1.19.1
1.19.0
CVE-2026-25151 describes a Cross-Site Request Forgery (CSRF) vulnerability within @builder.io/qwik-city, a server-side request handler. This flaw allows attackers to circumvent CSRF protections by exploiting inconsistent header interpretation. The vulnerability affects versions prior to 1.19.0, and a patch has been released. Users should immediately upgrade to the fixed version to prevent potential exploitation.
The core of the vulnerability lies in how Qwik City handles HTTP request headers. Specifically, it inconsistently interprets Content-Type headers, allowing attackers to craft malicious requests with malformed or multi-valued headers. Successful exploitation bypasses Origin-based CSRF checks, enabling attackers to submit unauthorized requests on behalf of authenticated users. This could lead to unauthorized data modification, account takeover, or other actions depending on the application's functionality. The attack's success hinges on the application accepting cross-origin requests or being accessed via non-browser clients where CORS preflight succeeds. While requiring a successful CORS preflight, the potential impact remains significant, especially in applications with sensitive data or critical operations.
CVE-2026-25151 was publicly disclosed on 2026-02-03. There is currently no known public proof-of-concept (POC) available, but the vulnerability's nature suggests a relatively low barrier to entry for exploitation once a POC is developed. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Applications built with @builder.io/qwik-city that accept user input via forms and permit cross-origin requests are particularly at risk. Shared hosting environments where multiple applications share the same server and resources could also be affected, as a compromised application could potentially impact others.
• nodejs / server:
ps aux | grep qwik-city
find / -name "@builder.io/qwik-city*" -type d• generic web:
curl -I https://your-app.com/some-form | grep Content-Type• generic web: Review access logs for requests with unusual or multi-valued Content-Type headers.
disclosure
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to @builder.io/qwik-city version 1.19.0 or later, which addresses the header parsing issue. If immediate upgrading is not feasible, consider implementing stricter Content-Type validation on the server-side to reject malformed or multi-valued headers. WAF rules can be configured to block requests with suspicious Content-Type headers. Additionally, ensure that CORS policies are configured to restrict cross-origin requests where possible, limiting the attack surface. Review and strengthen existing CSRF protection mechanisms to provide an additional layer of defense.
升级 Qwik 到 1.19.0 或更高版本。此版本包含对 CSRF 保护绕过漏洞的修复。升级将降低攻击者利用此漏洞的风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25151 is a CSRF vulnerability in @builder.io/qwik-city versions before 1.19.0. Malformed Content-Type headers can bypass CSRF protections, allowing attackers to submit unauthorized requests.
You are affected if you are using @builder.io/qwik-city versions prior to 1.19.0 and your application accepts user input via forms and permits cross-origin requests.
Upgrade to @builder.io/qwik-city version 1.19.0 or later. Consider implementing stricter Content-Type validation and reviewing CORS policies.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official @builder.io security advisory for detailed information and updates regarding CVE-2026-25151.