Description A Cross-site Scripting (CWE-79) vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.
Description An Open Redirect (CWE-601) vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.
Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.
A typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers.
A Prototype Pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like proto, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.
Possibility to craft a request that will crash the Qwik Server in the default configuration.
This advisory duplicates another.
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.