CVE-2026-25150
📋 TL;DR
This prototype pollution vulnerability in Qwik's formToObj() function allows unauthenticated attackers to modify Object.prototype by sending specially crafted HTTP POST requests with dangerous property names. This could lead to privilege escalation, authentication bypass, or denial of service. All Qwik applications using affected versions of @builder.io/qwik-city middleware are vulnerable.
💻 Affected Systems
- Qwik
- @builder.io/qwik-city
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through privilege escalation to admin, authentication bypass allowing unauthorized access, or persistent denial of service affecting all users.
Likely Case
Authentication bypass allowing unauthorized access to protected resources or denial of service affecting application availability.
If Mitigated
Limited impact with proper input validation and security controls, potentially only causing minor application instability.
🎯 Exploit Status
Exploitation requires only HTTP POST requests with crafted form data, making this easily weaponizable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.19.0
Vendor Advisory: https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq
Restart Required: Yes
Instructions:
1. Update @builder.io/qwik to version 1.19.0 or later. 2. Update @builder.io/qwik-city to version 1.19.0 or later. 3. Restart your application server. 4. Verify the fix by testing form submissions.
🔧 Temporary Workarounds
Input Validation Middleware
allAdd custom middleware to sanitize form field names before they reach formToObj() function
// Add middleware to filter dangerous property names
app.use((req, res, next) => {
if (req.body) {
const dangerousProps = ['__proto__', 'constructor', 'prototype'];
dangerousProps.forEach(prop => {
if (req.body[prop]) delete req.body[prop];
});
}
next();
});
🧯 If You Can't Patch
- Implement WAF rules to block HTTP POST requests containing __proto__, constructor, or prototype in form field names
- Disable or remove the formToObj() function from your application if not essential
🔍 How to Verify
Check if Vulnerable:
Check package.json for @builder.io/qwik and @builder.io/qwik-city versions below 1.19.0Check Version:
npm list @builder.io/qwik @builder.io/qwik-cityVerify Fix Applied:
Verify both @builder.io/qwik and @builder.io/qwik-city are at version 1.19.0 or higher in package.json📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests with form fields containing __proto__, constructor, or prototype
- Unusual authentication events or privilege changes
Network Indicators:
- HTTP POST requests to form endpoints with suspicious field names
- Increased error rates after form submissions
SIEM Query:
source="web_logs" method="POST" (form_field="*__proto__*" OR form_field="*constructor*" OR form_field="*prototype*")