CVE-2026-25155

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75	Patch
https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-03 22:16

Updated : 2026-02-10 20:07

NVD link : CVE-2026-25155

Mitre link : CVE-2026-25155

CVE.ORG link : CVE-2026-25155

JSON object : View

Products Affected

qwik

qwik

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-25155", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2026-02-03T22:16:30.987", "references": [{"url": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0."}, {"lang": "es", "value": "Qwik es un framework de JavaScript centrado en el rendimiento. Antes de la versi\u00f3n 1.12.0, un error tipogr\u00e1fico en la expresi\u00f3n regular dentro de isContentType provoca un an\u00e1lisis incorrecto de ciertos encabezados Content-Type. Este problema ha sido parcheado en la versi\u00f3n 1.12.0."}], "lastModified": "2026-02-10T20:07:58.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "06AADB22-29A3-45E2-BB6A-2F770D4AEBC7", "versionEndExcluding": "1.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}