{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25155", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.822Z", "datePublished": "2026-02-03T21:12:13.235Z", "dateUpdated": "2026-02-04T16:59:56.030Z"}, "containers": {"cna": {"title": "[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8"}, {"name": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75"}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"version": "< 1.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:13.235Z"}, "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0."}], "source": {"advisory": "GHSA-vm6g-8r4h-22x8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:59:49.112641Z", "id": "CVE-2026-25155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:56.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25155", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:59:49.112641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:52.514Z"}}], "cna": {"title": "[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)", "source": {"advisory": "GHSA-vm6g-8r4h-22x8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"status": "affected", "version": "< 1.12.0"}]}], "references": [{"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8", "name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75", "name": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:13.235Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25155", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:59:56.030Z", "dateReserved": "2026-01-29T15:39:11.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:12:13.235Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "06AADB22-29A3-45E2-BB6A-2F770D4AEBC7", "versionEndExcluding": "1.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0."}], "id": "CVE-2026-25155", "lastModified": "2026-02-10T20:07:58.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-03T22:16:30.987", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:01:57.180559+00:00", "value": {"mitigation_remediation": ["Upgrade Qwik to version 1.12.0 or later.", "Verify that the CSRF protection middleware is enabled for all endpoints that accept mutable requests.", "Implement server\u2011side validation of the Content\u2011Type header to reject malformed headers before processing the request."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Qwik JavaScript framework distributed by QwikDev. All versions of Qwik prior to 1.12.0 are impacted. The issue is fixed in Qwik 1.12.0 and later releases.", "description_and_impact": "A typo in a regular expression used by Qwik\u2019s CSRF protection middleware causes incorrect parsing of Content\u2011Type headers that contain parameters, such as multipart/form\u2011data. As a result, requests that would normally be rejected by the CSRF check can be accepted, allowing an attacker to perform unauthorized actions on behalf of an authenticated user. The weakness is a classic Cross\u2011Site Request Forgery (CWE\u2011352) flaw in request handling logic.", "risk_and_exploitability": "The CVSS base score is 5.9, indicating medium severity. EPSS is less than 1%, pointing to a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited exploitation. The likely attack vector requires an attacker to successfully craft a cross\u2011site request that targets a state\u2011changing endpoint and includes a Content\u2011Type header with parameters; successful exploitation would allow the attacker to execute actions without the victim\u2019s consent."}}}}, "created": "2026-02-04T12:05:52.146473+00:00", "updated": "2026-04-18T00:15:31.769933+00:00", "vendors": ["qwikdev", "qwikdev$PRODUCT$qwik"]}