GHSA-r666-8gjf-4v5f

Suggest an improvement
Source
https://github.com/advisories/GHSA-r666-8gjf-4v5f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-r666-8gjf-4v5f/GHSA-r666-8gjf-4v5f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r666-8gjf-4v5f
Aliases
Published
2026-02-03T20:49:58Z
Modified
2026-02-04T18:08:22.625367Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
Details

Summary

Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.

Impact

A vulnerability in checkCSRF lets an attacker bypass Origin-based CSRF checks by using malformed or multi-valued Content-Type headers. Exploitation requires the CORS preflight to succeed (so it’s blocked if preflight is denied) and is possible when the application accepts cross-origin requests or via non-browser clients. Impact varies with server CORS and cookie policies and may enable unauthorized state changes.

Database specific 
{
    "github_reviewed_at": "2026-02-03T20:49:58Z",
    "github_reviewed": true,
    "nvd_published_at": "2026-02-03T22:16:30Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / @builder.io/qwik-city

Package

Name
@builder.io/qwik-city
View open source insights on deps.dev
Purl
pkg:npm/%40builder.io/qwik-city

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.19.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-r666-8gjf-4v5f/GHSA-r666-8gjf-4v5f.json"