GHSA-xqg6-98cw-gxhq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xqg6-98cw-gxhq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-xqg6-98cw-gxhq/GHSA-xqg6-98cw-gxhq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xqg6-98cw-gxhq
- Aliases
- Published
- 2026-02-03T20:49:22Z
- Modified
- 2026-02-04T18:09:26.229679Z
- Severity
-
- 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L CVSS Calculator
- Summary
- Prototype Pollution via FormData Processing in Qwik City
- Details
-
Summary
A Prototype Pollution vulnerability exists in the
formToObj()function within@builder.io/qwik-citymiddleware. The function processes form field names with dot notation (e.g.,user.name) to create nested objects, but fails to sanitize dangerous property names like__proto__,constructor, andprototype. This allows unauthenticated attackers to polluteObject.prototypeby sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.Impact
An unauthenticated attacker can supply specially crafted form field names that cause formToObj() to write dangerous keys (for example proto, constructor, prototype) into parsed objects. This results in Prototype Pollution of the server process and can cause privilege escalation, auth bypass, denial-of-service, or other global application integrity failures depending on how objects are used.
- Database specific
{ "cwe_ids": [ "CWE-1321" ], "github_reviewed_at": "2026-02-03T20:49:22Z", "nvd_published_at": "2026-02-03T22:16:30Z", "severity": "CRITICAL", "github_reviewed": true }- References
Affected packages
npm / @builder.io/qwik-city
Package
- Name
- @builder.io/qwik-city
- View open source insights on deps.dev
- Purl
- pkg:npm/%40builder.io/qwik-city