Qwik City Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Qwik City versions prior to 1.13.0. When a Qwik Server Action QRL is executed, the server dynamically loads the corresponding file. If an invalid qfunc is provided, the server fails to properly manage the resulting error, causing Node.js to crash. This issue can be replicated in both the default Qwik Server and when Qwik is deployed with Express.

Impact

Exploitation of this vulnerability leads to a crash of the Qwik Server instance, causing a temporary disruption of service. However, if a Qwik application is served through a CDN and an outdated version is accessed, the server crash can occur without any malicious intent, further complicating service availability.

Reproduction

To reproduce this vulnerability, create a new Qwik project and start the server. Then, send a request with an invalid qfunc parameter and the appropriate headers. This will cause the server to crash. The same steps can be followed after building and deploying the Qwik application with Express.

Remediation

Users can update to Qwik City version 1.13.0 or later to address this vulnerability.