CVE-2026-25151: Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

February 3, 2026

Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.

References

github.com/QwikDev/qwik
github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed
github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f
github.com/advisories/GHSA-r666-8gjf-4v5f
nvd.nist.gov/vuln/detail/CVE-2026-25151

Code Behaviors & Features

Detect and mitigate CVE-2026-25151 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →