CVE-2026-25150: Prototype Pollution via FormData Processing in Qwik City

February 3, 2026

A Prototype Pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.

References

github.com/QwikDev/qwik
github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7
github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq
github.com/advisories/GHSA-xqg6-98cw-gxhq
nvd.nist.gov/vuln/detail/CVE-2026-25150

Code Behaviors & Features

Detect and mitigate CVE-2026-25150 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →