CVE-2026-25155 Overview
CVE-2026-25155 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Qwik, a performance-focused JavaScript framework. Prior to version 1.12.0, a typo in the regular expression within the isContentType function causes incorrect parsing of certain Content-Type headers. This parsing flaw can be exploited to bypass security controls that rely on proper Content-Type validation, potentially enabling CSRF attacks against applications built with the vulnerable Qwik versions.
Critical Impact
Applications using affected versions of Qwik may be vulnerable to CSRF attacks due to improper Content-Type header validation, which could allow attackers to forge malicious requests that bypass content-type security checks.
Affected Products
- Qwik JavaScript Framework versions prior to 1.12.0
- Qwik City middleware using the vulnerable isContentType function
- Applications relying on Content-Type validation for security controls
Discovery Timeline
- 2026-02-03 - CVE CVE-2026-25155 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25155
Vulnerability Analysis
The vulnerability stems from an input validation error in the isContentType function within Qwik's middleware request handler. The function is responsible for parsing and validating Content-Type headers to ensure requests contain expected content types. Due to a typo in the regular expression pattern, the parsing logic incorrectly handles certain Content-Type header values, creating a security gap that can be exploited to bypass CSRF protections.
The flawed regular expression /;,/ attempts to split the Content-Type header but includes an extra comma character that shouldn't be present. This causes the split operation to fail for legitimate Content-Type headers that contain only semicolons as delimiters (the standard format), potentially allowing crafted headers to bypass validation.
Root Cause
The root cause is a simple typographical error in the regular expression used for Content-Type header parsing. The vulnerable code uses /;,/ as the split pattern, which looks for both a semicolon AND a comma together, rather than just a semicolon. The correct pattern should be /;/ to properly parse standard Content-Type headers like application/json; charset=utf-8.
This typo causes the function to fail to properly extract the MIME type portion of Content-Type headers that follow the standard format, leading to incorrect content type validation results.
Attack Vector
An attacker can craft HTTP requests with specially formatted Content-Type headers that exploit the parsing flaw to bypass security controls. Since the isContentType function fails to properly validate legitimate Content-Type formats, an attacker may be able to submit requests with malicious content types that are incorrectly accepted or bypass CSRF protections that rely on this function for content-type validation.
The attack is network-based and requires user interaction (such as clicking a malicious link), making it suitable for CSRF-style attacks where the victim's browser is leveraged to send forged requests to vulnerable applications.
Vulnerable Code:
export function isContentType(headers: Headers, ...types: string[]) {
const type = headers.get('content-type')?.split(/;,/, 1)[0].trim() ?? '';
return types.includes(type);
}
Source: GitHub Commit Reference
Fixed Code:
export function isContentType(headers: Headers, ...types: string[]) {
const type = headers.get('content-type')?.split(/;/, 1)[0].trim() ?? '';
return types.includes(type);
}
Source: GitHub Commit Reference
Detection Methods for CVE-2026-25155
Indicators of Compromise
- Unusual or malformed Content-Type headers in HTTP request logs
- Unexpected CSRF token validation failures or bypasses
- Form submissions with unexpected content types being processed
- Cross-origin requests that should have been blocked by content-type validation
Detection Strategies
- Review application logs for requests with unusual Content-Type header patterns
- Implement web application firewall (WAF) rules to detect malformed Content-Type headers
- Monitor for cross-origin requests that bypass expected security controls
- Audit Qwik framework version in use across all deployments
Monitoring Recommendations
- Enable verbose logging for middleware request handlers to capture Content-Type parsing behavior
- Set up alerts for requests with Content-Type headers containing unusual delimiter patterns
- Monitor for potential CSRF attack patterns in application traffic
- Implement runtime application self-protection (RASP) to detect content-type bypass attempts
How to Mitigate CVE-2026-25155
Immediate Actions Required
- Upgrade Qwik to version 1.12.0 or later immediately
- Review application code for any custom Content-Type validation that may be affected
- Implement additional CSRF protection mechanisms as a defense-in-depth measure
- Audit recent application logs for potential exploitation attempts
Patch Information
The vulnerability has been patched in Qwik version 1.12.0. The fix corrects the regular expression in the isContentType function from /;,/ to /;/, ensuring proper parsing of Content-Type headers. Users should update their Qwik dependency to version 1.12.0 or later.
For technical details about the patch, refer to the GitHub Commit Reference and the GitHub Security Advisory GHSA-vm6g-8r4h-22x8.
Workarounds
- Implement additional server-side Content-Type validation as a secondary check
- Use strict CSRF tokens with double-submit cookie pattern for critical operations
- Apply middleware to normalize and validate Content-Type headers before they reach Qwik handlers
- Consider implementing custom Content-Type parsing logic until the upgrade can be completed
# Upgrade Qwik to patched version
npm update @builder.io/qwik@1.12.0
# or
yarn upgrade @builder.io/qwik@1.12.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
