Skip to content

Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY]#393

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-builder.io-qwik-city-vulnerability
Open

Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY]#393
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-builder.io-qwik-city-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 3, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@builder.io/qwik-city (source) 1.12.11.19.2 age confidence

Qwik SSR XSS via Unsafe Virtual Node Serialization

CVE-2026-25148 / GHSA-m6jq-g7gq-5w3c

More information

Details

Summary

Description
A Cross-site Scripting (CWE-79) vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.

Impact

This vulnerability impacts applications that dynamically populate Virtual Node attributes with keys/values that users can influence. Applications that hard-code these keys/values are unaffected.

Qwik doesn't use traditional hydration. Instead, it serializes application state into the HTML so the client can resume execution from the server-rendered output. To support this, Qwik v1 marks component boundaries with HTML comments. SSR builds comment content for Virtual components by concatenating structural attribute names and values without any escaping or quoting. An attacker-controlled key or value can prematurely close the HTML comment and inject arbitrary HTML/JS.

Successful exploitation permits script execution in a victim’s browser in the context of the affected origin. Additionally, because Qwik uses these serialized comment markers for resumability, breaking comment structure can lead to resume/hydration desync and unexpected client-side behavior.

Patches

This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Prototype Pollution via FormData Processing in Qwik City

CVE-2026-25150 / GHSA-xqg6-98cw-gxhq

More information

Details

Summary

A Prototype Pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.

Impact

An unauthenticated attacker can supply specially crafted form field names that cause formToObj() to write dangerous keys (for example proto, constructor, prototype) into parsed objects. This results in Prototype Pollution of the server process and can cause privilege escalation, auth bypass, denial-of-service, or other global application integrity failures depending on how objects are used.

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

CVE-2026-25151 / GHSA-r666-8gjf-4v5f

More information

Details

Summary

Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.

Impact

A vulnerability in checkCSRF lets an attacker bypass Origin-based CSRF checks by using malformed or multi-valued Content-Type headers. Exploitation requires the CORS preflight to succeed (so it’s blocked if preflight is denied) and is possible when the application accepts cross-origin requests or via non-browser clients. Impact varies with server CORS and cookie policies and may enable unauthorized state changes.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik City Open Redirect via fixTrailingSlash

CVE-2026-25149 / GHSA-92j7-wgmg-f32m

More information

Details

Summary

Description
An Open Redirect (CWE-601) vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.

Impact

Qwik City automatically applies the fixTrailingSlash middleware to page routes to ensure URL consistency. This vulnerability impacts all Qwik City applications deployed to runtimes that have a catch-all path to match arbitrary domains and that do not automatically normalize URL paths (e.g. Bun).

Exploitation allows an attacker to craft links that trigger a 301 redirect to arbitrary protocol-relative URLs. Browsers interpret this Location header as a protocol-relative URL, redirecting the user to attacker-controlled domains. This can enable phishing attacks and token theft among other common open redirect exploits.

Patches

This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik City has array method pollution in FormData processing allows type confusion and DoS

CVE-2026-32701 / GHSA-whhv-gg5v-864r

More information

Details

Summary

Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays.

Description

When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names such as items.0 and items.1 into nested structures. If a path was interpreted as an array, additional attacker-controlled keys on the same path, such as items.toString, items.push, items.valueOf, or items.length, could alter the resulting server-side value in unexpected ways.

Applications that assumed these parsed values were safe arrays could be affected. Depending on application behavior, this could lead to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code.

This issue affects form parsing in Qwik City request handling. It does not require authentication if the vulnerable route is publicly reachable.

Impact

An attacker can send crafted form submissions that cause parsed input to differ from the application’s expected shape. Possible outcomes include:

  • Triggering runtime errors when application code calls array methods on attacker-influenced values
  • Inflating array length or otherwise creating malformed structures that increase server work or memory use
  • Causing type confusion in application logic that trusts parsed form data to be a normal array

There is no direct evidence that this issue enables confidentiality or integrity impact by itself; the primary risk is denial of service and application instability.

Patched Versions

Patched in 1.19.2.

Workarounds

Until patched, avoid trusting parsed form data to be a well-formed array when using dotted field names, and validate or normalize action input before using array methods or relying on array shape.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

QwikDev/qwik (@​builder.io/qwik-city)

v1.19.2

Compare Source

Patch Changes
  • 🐞🩹 When a form POST is done, keys like "name.1" mean it's an array. However, later keys could be strings like "name.value". Now, we check if all the keys are numbers, otherwise we make an object instead of an array. This allows for more correct form data handling. (by @​wmertens in #​8424)

  • 🐞🩹 handle special characters in dynamic route (by @​gioboa in #​8400)

v1.19.1

Compare Source

Patch Changes
  • 🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @​ianlet in #​8385)

  • 🐞🩹 Link hash change now properly updates location.url.hash (by @​maiieul in #​8305)

v1.19.0

Compare Source

Minor Changes
Patch Changes
  • 🐞🩹 qwik-city spa routeStateInternal and routeLocation url origins mismatch (by @​maiieul in #​8234)

  • feat(qwik-city): add getOrigin option to QwikCityBunOptions and QwikCityDenoOptions for improved URL handling (by @​JerryWu1234 in #​8251)

  • Make RequestEvents readonly instead of frozen (by @​DustinJSilk in #​8135)

v1.18.0

Compare Source

Patch Changes
  • execute cleanup cb for all component tree while calling dispose.cleanup method returned by render fn (by @​sashkashishka in #​8164)

v1.17.2

Compare Source

Patch Changes
  • 🐞🩹 history behavior in some edge cases has been brought inline with the E2E tests that were accidentally disabled. (the tests can't be disabled any more either) (by @​wmertens in 206f3e0)

  • 🐞🩹 SPA routing is broken unless origin matches value in in vite.config #​8093 (by @​termermc in #​8097)

    If the SSG origin was set to localhost:3000 and a user visited from 127.0.0.1:3000, SPA routing would be broken.

    Internally, useNavigate's context provider goto checks the new destination with the last route location. If the
    origin is different, it just does a normal browser navigation. This makes sense; links to other origins cannot use
    SPA routing. However, the initial route it compares was using an origin that came from the server environment.

    Now, the first navigation will set that initial route to the browser's actual href, eliminating the erroneous
    origin mismatch for SPA navigations.

  • 🐞🩹 this in various Qwik-City handlers is now RequestEvent again. (by @​wmertens in #​8111)

v1.17.1

Compare Source

Patch Changes
  • 🐞🩹 zod is now imported as import * as z from 'zod', which vastly improves bundling. The Insights app client code reduced by 12kB. (by @​wmertens in #​8042)

v1.17.0

Compare Source

Patch Changes
  • 🐞🩹 SSG sometimes hangs after completion, now we forcibly exit the SSG process when this happens. (by @​wmertens in #​7957)

  • 🐞🩹 return 404 for missing /build/ files. (by @​gioboa in #​7914)

  • 🐞🩹 redirecting internal q-data.json requests will keep the q-data.json suffix so that the client can still fetch the correct one (by @​wmertens in #​7988)

  • 🐞🩹 solve type error when using async _resolved function (by @​JerryWu1234 in #​7426)

  • 🐞🩹 while prefetching Link data, don't navigate to captive portals (by @​wmertens in #​7988)

v1.16.1

Compare Source

Patch Changes
  • 🐞🩹 fix behaviour of checkOrigin: "lax-proto" in createQwikCity (by @​asaharan in #​7865)

  • 🛠 Add check-client command to verify bundle freshness (by @​JerryWu1234 in #​7517)

  • 🐞🩹 return 404 with invalid URL. (by @​gioboa in #​7902)

  • ✨ All qwik packages are now marked as side effect free in their package.json. This should remove a few unecessary empty imports added by rollup and then not tree-shaken like import "./preloader.js". (by @​maiieul in #​7908)

  • ✨ SPA Link navigation now preloads the next route bundles on click with maximum probability, speeding up SPA navigation. (by @​maiieul in #​7849)

  • 🐞🩹 Your service-worker.js won't be unregistered anymore if you added custom logic to it. (by @​maiieul in #​7872)

    Note: Qwik 1.14.0 and above now use <link rel="modulepreload"> by default. If you didn't add custom service-worker logic, you should remove your service-worker.ts file(s) for the ServiceWorkerRegister Component to actually unregister the service-worker.js and delete its related cache. Make sure to keep the ServiceWorkerRegister Component in your app (without any service-worker.ts file) as long as you want to unregister the service-worker.js for your users.

v1.16.0

Compare Source

Minor Changes
Patch Changes
  • 🐞🩹 Keeping the service worker components now properly unregisters them. (by @​maiieul in #​7781)

  • 🐞🩹 redirects no longer take their parent layout's Cache-Control value by default and are instead set to no-store. This prevents issues in redirection logic. We might introduce another API to enable caching redirects in the future. (by @​maiieul in #​7811)

  • 🐞🩹 Keeping the service worker components now also removes their associated Cache storage. (by @​maiieul in #​7782)

v1.15.0

Compare Source

Minor Changes
  • ✨ Added rewrite() to the RequestEvent object. It works like redirect but does not change the URL, (by @​omerman in #​7562)
    think of it as an internal redirect.

    Example usage:

    export const onRequest: RequestHandler = async ({ url, rewrite }) => {
      if (url.pathname.includes('/articles/the-best-article-in-the-world')) {
        const artistId = db.getArticleByName('the-best-article-in-the-world');
    
        // Url will remain /articles/the-best-article-in-the-world, but under the hood,
        // will render /articles/${artistId}
        throw rewrite(`/articles/${artistId}`);
      }
    };
Patch Changes

v1.14.1

Compare Source

v1.14.0

Compare Source

Minor Changes
  • 🐞🩹 qwik-city no longer forces q-data.json downloads, instead relying on the cache headers. This means that you have to make sure your q-data.json is served with Cache-Control headers that suit you. That file contains all the information about the route and is read for each qwik-city navigation. By default the data is cached for one hour. (by @​wmertens in #​7537)

  • 🛠 the service workers have been deprecated and replaced with entries that unregister them. If you have it enabled in production, you can remove it after a while once you are sure all your users have the new version. (by @​wmertens in #​7453)

Patch Changes
  • 🐞🩹 linting errors which were previously being ignored across the monorepo. (by @​better-salmon in #​7418)

  • 🐞🩹 Link SPA subsequent navigation now properly prefetch the next routes. (by @​maiieul in #​7590)

  • 🐞🩹 SPA Link now handle subsequent onQVisible$ passed as props. (by @​maiieul in #​7612)

v1.13.0

Compare Source

Minor Changes
Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from b1cadf9 to befd025 Compare February 17, 2026 17:35
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from befd025 to 2fd14f4 Compare March 5, 2026 18:19
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 2fd14f4 to 279596f Compare March 13, 2026 11:40
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 279596f to 1ab0294 Compare March 20, 2026 17:04
@renovate renovate Bot changed the title Update dependency @builder.io/qwik-city to v1.19.0 [SECURITY] Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] Mar 20, 2026
@renovate renovate Bot changed the title Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-builder.io-qwik-city-vulnerability branch March 27, 2026 01:30
@renovate renovate Bot changed the title Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] - autoclosed Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from 1ab0294 to cb03c2e Compare March 30, 2026 17:47
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from cb03c2e to 6632c5f Compare April 8, 2026 20:30
@codacy-production

codacy-production Bot commented Apr 8, 2026

Copy link
Copy Markdown

Not up to standards ⛔

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@renovate renovate Bot changed the title Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] - autoclosed Update dependency @builder.io/qwik-city to v1.19.2 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from 6632c5f to 86482df Compare April 27, 2026 23:07
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 86482df to ef7cf60 Compare May 12, 2026 10:44
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from ef7cf60 to 6212447 Compare May 28, 2026 15:16
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 6212447 to 86a99a9 Compare June 11, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants