CVE-2026-25149
📋 TL;DR
Qwik versions before 1.19.0 contain an open redirect vulnerability in Qwik City's default request handler middleware. This allows attackers to create phishing links that appear legitimate but redirect users to malicious sites. Any application using vulnerable Qwik versions is affected.
💻 Affected Systems
- Qwik
- Qwik City
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to convincing phishing sites that steal credentials, session tokens, or install malware, leading to account compromise and data breaches.
Likely Case
Attackers create convincing phishing campaigns using the trusted domain's appearance, increasing click-through rates and credential harvesting success.
If Mitigated
With proper user education and monitoring, impact is limited to some phishing attempts being more convincing, but users still recognize suspicious redirects.
🎯 Exploit Status
Open redirect vulnerabilities are commonly exploited in phishing campaigns. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.19.0
Vendor Advisory: https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m
Restart Required: Yes
Instructions:
1. Update Qwik dependency to version 1.19.0 or later. 2. Update package.json: "@builder.io/qwik": "^1.19.0". 3. Run npm install or yarn install. 4. Restart the application server.
🔧 Temporary Workarounds
Implement custom redirect validation
allAdd middleware to validate redirect URLs before processing
Implement custom request handler that validates redirect URLs against allowed domains
🧯 If You Can't Patch
- Implement WAF rules to block suspicious redirect patterns
- Monitor logs for unusual redirect patterns and educate users about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check package.json for Qwik version below 1.19.0Check Version:
npm list @builder.io/qwikVerify Fix Applied:
Verify package.json shows Qwik version 1.19.0 or higher and test redirect functionality📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in application logs
- Requests with suspicious redirect parameters
Network Indicators:
- HTTP 302/301 responses to unexpected domains
- Protocol-relative URLs in redirect responses
SIEM Query:
http.status_code IN (301, 302) AND url.query CONTAINS "redirect" AND NOT url.domain IN allowed_domains