{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25151", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.821Z", "datePublished": "2026-02-03T21:12:25.699Z", "dateUpdated": "2026-02-04T16:59:15.226Z"}, "containers": {"cna": {"title": "Qwik City has a CSRF Protection Bypass via Content-Type Header Validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f"}, {"name": "https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed"}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"version": "< 1.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:25.699Z"}, "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City\u2019s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0."}], "source": {"advisory": "GHSA-r666-8gjf-4v5f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:59:07.707722Z", "id": "CVE-2026-25151", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:15.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25151", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:59:07.707722Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:11.327Z"}}], "cna": {"title": "Qwik City has a CSRF Protection Bypass via Content-Type Header Validation", "source": {"advisory": "GHSA-r666-8gjf-4v5f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"status": "affected", "version": "< 1.19.0"}]}], "references": [{"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f", "name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed", "name": "https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City\u2019s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:25.699Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25151", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:59:15.226Z", "dateReserved": "2026-01-29T15:39:11.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:12:25.699Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8A329D09-A8EB-4297-8BD9-4E862179FE54", "versionEndExcluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City\u2019s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0."}], "id": "CVE-2026-25151", "lastModified": "2026-02-10T20:08:58.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T22:16:30.840", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:09:09.916588+00:00", "value": {"mitigation_remediation": ["Upgrade Qwik to version 1.19.0 or later, which includes the fix for header validation issues.", "Configure the application to enforce strict single\u2011valued Content\u2011Type header checks, rejecting requests that contain repeated or unexpected header values.", "Deploy a web\u2011application firewall or reverse proxy to monitor and block requests using suspicious Content\u2011Type header patterns before they reach the Qwik server."], "summary": {"action": "Apply patch", "impact": "CSRF Protection Bypass"}, "threat_synthesis": {"affected_systems": "Qwik City implementations that use any QwikDev product prior to version 1.19.0 are vulnerable. The affected product \u2013 the Qwik framework \u2013 is distributed by QwikDev and is used in Node.js environments.", "description_and_impact": "A flaw in Qwik City\u2019s server\u2011side request handling allows an attacker to manipulate the Content\u2011Type header in such a way that the platform cannot reliably detect a legitimate form submission. This inconsistent interpretation can be exploited to bypass established CSRF protections and carry out unauthorized actions on behalf of an authenticated user. The vulnerability is specifically tied to a type of cross\u2011site request forgery weakness.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate risk, while the EPSS score of less than 1% shows a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable code remotely by crafting HTTP requests with aberrant or multi\u2011valued Content\u2011Type headers; no special network or system access is required beyond standard web traffic."}}}}, "created": "2026-02-04T12:05:50.713297+00:00", "updated": "2026-04-18T14:15:04.132417+00:00", "vendors": ["qwikdev", "qwikdev$PRODUCT$qwik"]}