CVE-2026-25150 Overview
CVE-2026-25150 is a prototype pollution vulnerability in the Qwik JavaScript framework, specifically within the @builder.io/qwik-city middleware. The formToObj() function processes form field names using dot notation to construct nested objects but does not sanitize dangerous property names such as __proto__, constructor, and prototype. Unauthenticated attackers can send crafted HTTP POST requests with malicious form field names to pollute Object.prototype across the application. The flaw affects all versions prior to 1.19.0 and is tracked under CWE-1321: Improperly Controlled Modification of Object Prototype Attributes.
Critical Impact
Successful exploitation enables privilege escalation, authentication bypass, or denial of service against any Qwik City application accepting form submissions.
Affected Products
- Qwik framework versions prior to 1.19.0
- @builder.io/qwik-city middleware (Node.js)
- Applications using formToObj() for form data parsing
Discovery Timeline
- 2026-02-03 - CVE-2026-25150 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-25150
Vulnerability Analysis
The vulnerability resides in the formToObj() function inside packages/qwik-city/src/middleware/request-handler/request-event.ts. The function converts FormData entries into nested JavaScript objects by splitting form field names on the dot character and recursively assigning properties. Because the original implementation used a plain object as the accumulator and did not filter reserved property names, an attacker can submit a form field named __proto__.polluted=1 and inject properties directly onto Object.prototype.
Once polluted, every object in the running Node.js process inherits the attacker-controlled property. Downstream code that checks object properties without using hasOwnProperty may treat injected values as legitimate configuration, authentication flags, or role assignments. The attack requires no authentication and works against any endpoint that consumes form data through the affected middleware.
Root Cause
The root cause is missing validation of property keys during recursive object construction. The original reducer split each field name on . and assigned values without rejecting __proto__, constructor, or prototype segments. Combined with the use of a standard object literal as the accumulator, this allowed traversal into the prototype chain.
Attack Vector
An attacker sends an HTTP POST request with a multipart/form-data or application/x-www-form-urlencoded body containing crafted field names. Both dot notation (__proto__.polluted) and bracket notation (__proto__[]) are exploitable in unpatched versions.
// Patch from packages/qwik-city/src/middleware/request-handler/request-event.ts
const isDangerousKey = (k: string) => k === '__proto__' || k === 'constructor' || k === 'prototype';
export const formToObj = (formData: FormData): Record<string, any> => {
const values = Object.create(null);
for (const [name, value] of formData) {
const keys = name.split('.');
let hasDangerousKey = false;
for (let i = 0; i < keys.length; i++) {
if (isDangerousKey(keys[i])) {
hasDangerousKey = true;
break;
}
}
if (hasDangerousKey) {
continue;
}
// ...
}
};
// Source: https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7
The fix introduces an isDangerousKey helper, switches the accumulator to Object.create(null), and skips any field name containing a reserved key segment.
Detection Methods for CVE-2026-25150
Indicators of Compromise
- HTTP POST requests containing form field names with __proto__, constructor, or prototype substrings
- Unexpected properties appearing on objects returned by route action handlers
- Anomalous application behavior such as bypassed authorization checks following form submissions
- Server-side errors referencing inherited properties not defined in source code
Detection Strategies
- Inspect web server and application logs for POST bodies containing __proto__, constructor., or prototype. field name patterns
- Run software composition analysis against package.json and lockfiles to flag @builder.io/qwik-city versions below 1.19.0
- Deploy a web application firewall rule that blocks request bodies containing reserved JavaScript property names in form keys
Monitoring Recommendations
- Alert on HTTP 5xx error spikes correlated with form submission endpoints
- Monitor for unusual privilege transitions or session role changes immediately after POST requests
- Track outbound network connections from Node.js processes that begin after form-handling traffic
How to Mitigate CVE-2026-25150
Immediate Actions Required
- Upgrade Qwik and @builder.io/qwik-city to version 1.19.0 or later across all environments
- Audit application code for any custom form parsers using dot-notation key splitting and apply equivalent key filtering
- Review recent form submission logs for indicators consistent with prototype pollution attempts
Patch Information
The vulnerability is patched in Qwik version 1.19.0 via commit 5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7. Full details are available in the GitHub Security Advisory GHSA-xqg6-98cw-gxhq.
Workarounds
- Place a reverse proxy or WAF rule in front of Qwik applications that rejects form submissions whose field names match __proto__, constructor, or prototype
- Wrap calls to formToObj() with a pre-validation step that drops keys containing reserved property names
- Freeze Object.prototype at application startup using Object.freeze(Object.prototype) to limit pollution impact
# Upgrade Qwik to the patched release
npm install @builder.io/qwik@^1.19.0 @builder.io/qwik-city@^1.19.0
# Verify installed version
npm ls @builder.io/qwik-city
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
