Description

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.

INFO

Published Date :

2026-02-03T21:12:50.417Z

Last Modified :

2026-02-04T16:31:46.643Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25150 vulnerability.

Vendors Products
Qwik
  • Qwik
Qwikdev
  • Qwik
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25150.

URL Resource
https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7 cve-icon cve-icon
https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact