Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY]#393
Open
renovate[bot] wants to merge 1 commit into
Open
Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY]#393renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
b1cadf9 to
befd025
Compare
befd025 to
2fd14f4
Compare
2fd14f4 to
279596f
Compare
279596f to
1ab0294
Compare
1ab0294 to
cb03c2e
Compare
cb03c2e to
6632c5f
Compare
Not up to standards ⛔
|
6632c5f to
86482df
Compare
86482df to
ef7cf60
Compare
ef7cf60 to
6212447
Compare
6212447 to
86a99a9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.12.1→1.19.2Qwik SSR XSS via Unsafe Virtual Node Serialization
CVE-2026-25148 / GHSA-m6jq-g7gq-5w3c
More information
Details
Summary
Description
A Cross-site Scripting (CWE-79) vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.
Impact
This vulnerability impacts applications that dynamically populate Virtual Node attributes with keys/values that users can influence. Applications that hard-code these keys/values are unaffected.
Qwik doesn't use traditional hydration. Instead, it serializes application state into the HTML so the client can resume execution from the server-rendered output. To support this, Qwik v1 marks component boundaries with HTML comments. SSR builds comment content for Virtual components by concatenating structural attribute names and values without any escaping or quoting. An attacker-controlled key or value can prematurely close the HTML comment and inject arbitrary HTML/JS.
Successful exploitation permits script execution in a victim’s browser in the context of the affected origin. Additionally, because Qwik uses these serialized comment markers for resumability, breaking comment structure can lead to resume/hydration desync and unexpected client-side behavior.
Patches
This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Prototype Pollution via FormData Processing in Qwik City
CVE-2026-25150 / GHSA-xqg6-98cw-gxhq
More information
Details
Summary
A Prototype Pollution vulnerability exists in the
formToObj()function within@builder.io/qwik-citymiddleware. The function processes form field names with dot notation (e.g.,user.name) to create nested objects, but fails to sanitize dangerous property names like__proto__,constructor, andprototype. This allows unauthenticated attackers to polluteObject.prototypeby sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.Impact
An unauthenticated attacker can supply specially crafted form field names that cause formToObj() to write dangerous keys (for example proto, constructor, prototype) into parsed objects. This results in Prototype Pollution of the server process and can cause privilege escalation, auth bypass, denial-of-service, or other global application integrity failures depending on how objects are used.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
CVE-2026-25151 / GHSA-r666-8gjf-4v5f
More information
Details
Summary
Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.
Impact
A vulnerability in checkCSRF lets an attacker bypass Origin-based CSRF checks by using malformed or multi-valued Content-Type headers. Exploitation requires the CORS preflight to succeed (so it’s blocked if preflight is denied) and is possible when the application accepts cross-origin requests or via non-browser clients. Impact varies with server CORS and cookie policies and may enable unauthorized state changes.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik City Open Redirect via fixTrailingSlash
CVE-2026-25149 / GHSA-92j7-wgmg-f32m
More information
Details
Summary
Description
An Open Redirect (CWE-601) vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.
Impact
Qwik City automatically applies the
fixTrailingSlashmiddleware to page routes to ensure URL consistency. This vulnerability impacts all Qwik City applications deployed to runtimes that have a catch-all path to match arbitrary domains and that do not automatically normalize URL paths (e.g. Bun).Exploitation allows an attacker to craft links that trigger a 301 redirect to arbitrary protocol-relative URLs. Browsers interpret this Location header as a protocol-relative URL, redirecting the user to attacker-controlled domains. This can enable phishing attacks and token theft among other common open redirect exploits.
Patches
This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik City has array method pollution in FormData processing allows type confusion and DoS
CVE-2026-32701 / GHSA-whhv-gg5v-864r
More information
Details
Summary
Qwik City improperly inferred arrays from dotted form field names during
FormDataparsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays.Description
When processing
application/x-www-form-urlencodedormultipart/form-datarequests, Qwik City converted dotted field names such asitems.0anditems.1into nested structures. If a path was interpreted as an array, additional attacker-controlled keys on the same path, such asitems.toString,items.push,items.valueOf, oritems.length, could alter the resulting server-side value in unexpected ways.Applications that assumed these parsed values were safe arrays could be affected. Depending on application behavior, this could lead to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code.
This issue affects form parsing in Qwik City request handling. It does not require authentication if the vulnerable route is publicly reachable.
Impact
An attacker can send crafted form submissions that cause parsed input to differ from the application’s expected shape. Possible outcomes include:
There is no direct evidence that this issue enables confidentiality or integrity impact by itself; the primary risk is denial of service and application instability.
Patched Versions
Patched in 1.19.2.
Workarounds
Until patched, avoid trusting parsed form data to be a well-formed array when using dotted field names, and validate or normalize action input before using array methods or relying on array shape.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
QwikDev/qwik (@builder.io/qwik-city)
v1.19.2Compare Source
Patch Changes
🐞🩹 When a form POST is done, keys like "name.1" mean it's an array. However, later keys could be strings like "name.value". Now, we check if all the keys are numbers, otherwise we make an object instead of an array. This allows for more correct form data handling. (by @wmertens in #8424)
🐞🩹 handle special characters in dynamic route (by @gioboa in #8400)
v1.19.1Compare Source
Patch Changes
🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @ianlet in #8385)
🐞🩹 Link hash change now properly updates location.url.hash (by @maiieul in #8305)
v1.19.0Compare Source
Minor Changes
QwikCityMockProvider(by @alexismch in #8102)Patch Changes
🐞🩹 qwik-city spa routeStateInternal and routeLocation url origins mismatch (by @maiieul in #8234)
feat(qwik-city): add getOrigin option to QwikCityBunOptions and QwikCityDenoOptions for improved URL handling (by @JerryWu1234 in #8251)
Make RequestEvents readonly instead of frozen (by @DustinJSilk in #8135)
v1.18.0Compare Source
Patch Changes
v1.17.2Compare Source
Patch Changes
🐞🩹 history behavior in some edge cases has been brought inline with the E2E tests that were accidentally disabled. (the tests can't be disabled any more either) (by @wmertens in
206f3e0)🐞🩹 SPA routing is broken unless origin matches value in in vite.config #8093 (by @termermc in #8097)
If the SSG origin was set to
localhost:3000and a user visited from127.0.0.1:3000, SPA routing would be broken.Internally, useNavigate's context provider
gotochecks the new destination with the last route location. If theorigin is different, it just does a normal browser navigation. This makes sense; links to other origins cannot use
SPA routing. However, the initial route it compares was using an origin that came from the server environment.
Now, the first navigation will set that initial route to the browser's actual href, eliminating the erroneous
origin mismatch for SPA navigations.
🐞🩹
thisin various Qwik-City handlers is nowRequestEventagain. (by @wmertens in #8111)v1.17.1Compare Source
Patch Changes
zodis now imported asimport * as z from 'zod', which vastly improves bundling. The Insights app client code reduced by 12kB. (by @wmertens in #8042)v1.17.0Compare Source
Patch Changes
🐞🩹 SSG sometimes hangs after completion, now we forcibly exit the SSG process when this happens. (by @wmertens in #7957)
🐞🩹 return 404 for missing /build/ files. (by @gioboa in #7914)
🐞🩹 redirecting internal q-data.json requests will keep the q-data.json suffix so that the client can still fetch the correct one (by @wmertens in #7988)
🐞🩹 solve type error when using async _resolved function (by @JerryWu1234 in #7426)
🐞🩹 while prefetching Link data, don't navigate to captive portals (by @wmertens in #7988)
v1.16.1Compare Source
Patch Changes
🐞🩹 fix behaviour of checkOrigin: "lax-proto" in createQwikCity (by @asaharan in #7865)
🛠 Add check-client command to verify bundle freshness (by @JerryWu1234 in #7517)
🐞🩹 return 404 with invalid URL. (by @gioboa in #7902)
✨ All qwik packages are now marked as side effect free in their package.json. This should remove a few unecessary empty imports added by rollup and then not tree-shaken like
import "./preloader.js". (by @maiieul in #7908)✨ SPA Link navigation now preloads the next route bundles on click with maximum probability, speeding up SPA navigation. (by @maiieul in #7849)
🐞🩹 Your service-worker.js won't be unregistered anymore if you added custom logic to it. (by @maiieul in #7872)
v1.16.0Compare Source
Minor Changes
Patch Changes
🐞🩹 Keeping the service worker components now properly unregisters them. (by @maiieul in #7781)
🐞🩹 redirects no longer take their parent layout's Cache-Control value by default and are instead set to
no-store. This prevents issues in redirection logic. We might introduce another API to enable caching redirects in the future. (by @maiieul in #7811)🐞🩹 Keeping the service worker components now also removes their associated Cache storage. (by @maiieul in #7782)
v1.15.0Compare Source
Minor Changes
✨ Added rewrite() to the RequestEvent object. It works like redirect but does not change the URL, (by @omerman in #7562)
think of it as an internal redirect.
Example usage:
Patch Changes
🐞🩹 Change Content-Type header in qwik requests to respect RFC 7231 (by @joaomaridalho in #7690)
🐞🩹 link/useNavigate with query params don't override loader/middleware redirect with query params anymore. (by @maiieul in #7733)
🐞🩹 allow cross-protocol requests from the same domain (by @gioboa in #7693)
🛠 update devDependencies and configurations (by @JerryWu1234 in #7695)
🐞🩹 Duplicate ServerError class during dev mode (by @wmertens in #7724)
v1.14.1Compare Source
v1.14.0Compare Source
Minor Changes
🐞🩹 qwik-city no longer forces
q-data.jsondownloads, instead relying on the cache headers. This means that you have to make sure yourq-data.jsonis served withCache-Controlheaders that suit you. That file contains all the information about the route and is read for each qwik-city navigation. By default the data is cached for one hour. (by @wmertens in #7537)🛠 the service workers have been deprecated and replaced with entries that unregister them. If you have it enabled in production, you can remove it after a while once you are sure all your users have the new version. (by @wmertens in #7453)
Patch Changes
🐞🩹 linting errors which were previously being ignored across the monorepo. (by @better-salmon in #7418)
🐞🩹 Link SPA subsequent navigation now properly prefetch the next routes. (by @maiieul in #7590)
🐞🩹 SPA Link now handle subsequent onQVisible$ passed as props. (by @maiieul in #7612)
v1.13.0Compare Source
Minor Changes
🐞🩹 server$ errors can be caught by @plugin middleware (by @DustinJSilk in #7185)
refactor: Error types are standardised across server$ functions and routeLoaders (by @DustinJSilk in #7185)
✨ 499 is now a valid status code (by @DustinJSilk in #7185)
🐞🩹 server$ functions now correctly throw 4xx errors on the client (by @DustinJSilk in #7185)
Patch Changes
🐞🩹 Error boundary
ErrorBoundaryand fixuseErrorBoundary(by @damianpumar in #7342)🐞🩹 Write Response object in the send request event even on redirects (by @nelsonprsousa in #7422)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.