CVE-2026-32701

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/QwikDev/qwik/commit/7b5867c3dd8925df9aa96c4296b1e95a4c2af87d	Patch
https://github.com/QwikDev/qwik/security/advisories/GHSA-whhv-gg5v-864r	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-20 09:16

Updated : 2026-03-23 15:30

NVD link : CVE-2026-32701

Mitre link : CVE-2026-32701

CVE.ORG link : CVE-2026-32701

JSON object : View

Products Affected

qwik

qwik

CWE

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2026-32701", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T09:16:14.520", "references": [{"url": "https://github.com/QwikDev/qwik/commit/7b5867c3dd8925df9aa96c4296b1e95a4c2af87d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-whhv-gg5v-864r", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-843"}, {"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path\u2014such as items.toString, items.push, items.valueOf, or items.length\u2014could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2."}, {"lang": "es", "value": "Qwik es un framework de JavaScript centrado en el rendimiento. Las versiones anteriores a la 1.19.2 infer\u00edan incorrectamente arrays a partir de nombres de campos de formulario con puntos durante el an\u00e1lisis de FormData. Al enviar claves de \u00edndice de array y de propiedad de objeto mezcladas para la misma ruta, un atacante podr\u00eda hacer que las propiedades controladas por el usuario se escribieran sobre valores que el c\u00f3digo de la aplicaci\u00f3n esperaba que fueran arrays. Al procesar solicitudes application/x-www-form-urlencoded o multipart/form-data, Qwik City convert\u00eda los nombres de campo con puntos (p. ej., items.0, items.1) en estructuras anidadas. Si una ruta se interpretaba como un array, claves adicionales proporcionadas por el atacante en esa ruta \u2014como items.toString, items.push, items.valueOf o items.length\u2014 podr\u00edan alterar el valor resultante del lado del servidor de formas inesperadas, lo que podr\u00eda llevar a fallos en el manejo de solicitudes, denegaci\u00f3n de servicio a trav\u00e9s de un estado de array malformado o longitudes excesivas, y confusi\u00f3n de tipos en el c\u00f3digo subsiguiente. Este problema se solucion\u00f3 en la versi\u00f3n 1.19.2."}], "lastModified": "2026-03-23T15:30:54.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EF7EC6DC-930F-497B-BAA2-E236F71CE7CB", "versionEndExcluding": "1.19.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}