{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25149", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.821Z", "datePublished": "2026-02-03T21:11:55.902Z", "dateUpdated": "2026-02-04T19:59:30.294Z"}, "containers": {"cna": {"title": "Qwik City Open Redirect via fixTrailingSlash", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m"}, {"name": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed"}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"version": "< 1.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:11:55.902Z"}, "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0."}], "source": {"advisory": "GHSA-92j7-wgmg-f32m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:59:21.273728Z", "id": "CVE-2026-25149", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:59:30.294Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25149", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:59:21.273728Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:59:26.654Z"}}], "cna": {"title": "Qwik City Open Redirect via fixTrailingSlash", "source": {"advisory": "GHSA-92j7-wgmg-f32m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"status": "affected", "version": "< 1.19.0"}]}], "references": [{"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m", "name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed", "name": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:11:55.902Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25149", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:59:30.294Z", "dateReserved": "2026-01-29T15:39:11.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:11:55.902Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8A329D09-A8EB-4297-8BD9-4E862179FE54", "versionEndExcluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0."}], "id": "CVE-2026-25149", "lastModified": "2026-02-10T20:11:36.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T22:16:30.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:33:47.181340+00:00", "value": {"mitigation_remediation": ["Upgrade Qwik to version\u202f1.19.0 or later.", "Apply proper redirect validation or restrict redirect targets to a whitelist of trusted domains.", "If upgrading is not immediately feasible, disable the vulnerable default request handler or replace it with a secure implementation."], "summary": {"action": "Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "Affected systems include QwikDev\u2019s Qwik framework deployed in any environment before version\u00a01.19.0, running on supported runtimes such as Node.js. Users who have not upgraded to or beyond the patched release are potentially exposed through the framework\u2019s default request handler.", "description_and_impact": "A remote attacker can redirect users to arbitrary protocol\u2011relative URLs by exploiting an open redirect flaw in the default request handler middleware of Qwik City, a performance\u2011focused JavaScript framework. Prior to version\u00a01.19.0 this vulnerability allows attackers to craft convincing phishing links that appear to originate from a trusted domain yet lead victims to attacker\u2011controlled sites. The weakness, identified as CWE\u2011601, originates from the middleware\u2019s handling of trailing\u2011slash logic without validating the redirect target.", "risk_and_exploitability": "The CVSS score of\u00a02.7 classifies the issue as low severity, and the EPSS score of\u202f<\u202f1\u202f% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to embed a crafted URL in content served by the vulnerable application; the request handler processes the trailing\u2011slash logic without validating the target, thereby enabling the redirect."}}}}, "created": "2026-02-04T12:06:06.425243+00:00", "updated": "2026-04-18T18:45:05.747752+00:00", "vendors": ["qwikdev", "qwikdev$PRODUCT$qwik"]}