CVE-2026-25155 - Vulnerability Details - OpenCVE

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qwikdev	Qwik

No data.

No data.

References

Link	Providers
https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75
https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8

History

Wed, 04 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qwikdev Qwikdev qwik
Vendors & Products		Qwikdev Qwikdev qwik

Tue, 03 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
Title		[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
Weaknesses		CWE-352
References		https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75 https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-03T21:12:13.235Z

Updated: 2026-02-04T16:59:56.030Z

Reserved: 2026-01-29T15:39:11.822Z

Link: CVE-2026-25155

Vulnrichment

Updated: 2026-02-04T16:59:52.514Z

NVD

Status : Awaiting Analysis

Published: 2026-02-03T22:16:30.987

Modified: 2026-02-04T16:33:44.537

Link: CVE-2026-25155

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25155", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.822Z", "datePublished": "2026-02-03T21:12:13.235Z", "dateUpdated": "2026-02-04T16:59:56.030Z"}, "containers": {"cna": {"title": "[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8"}, {"name": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75"}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"version": "< 1.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:13.235Z"}, "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0."}], "source": {"advisory": "GHSA-vm6g-8r4h-22x8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:59:49.112641Z", "id": "CVE-2026-25155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:56.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25155", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:59:49.112641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:52.514Z"}}], "cna": {"title": "[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)", "source": {"advisory": "GHSA-vm6g-8r4h-22x8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"status": "affected", "version": "< 1.12.0"}]}], "references": [{"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8", "name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75", "name": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:13.235Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25155", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:59:56.030Z", "dateReserved": "2026-01-29T15:39:11.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:12:13.235Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}