Qwik City Open Redirect Vulnerability in Request Handler Middleware

A moderate open redirect vulnerability has been identified in Qwik City versions prior to 1.19.0. The issue resides in the default request handler middleware, where a remote attacker can manipulate URLs to redirect users to arbitrary locations. This exploitation can be used to create phishing links that appear to come from a trusted domain but lead to an attacker-controlled site. The vulnerability is particularly concerning in environments that do not automatically normalize URL paths, such as Bun, allowing for exploitation through crafted links that trigger redirects to malicious domains.

Impact

Exploitation of this vulnerability allows for open redirect behavior, where users are redirected to attacker-controlled sites. This can facilitate phishing attacks, token theft, and other common open redirect exploits.

Reproduction

To reproduce this vulnerability, deploy a Qwik City application version prior to 1.19.0 on a runtime that does not automatically normalize URL paths, such as Bun. The 'fixTrailingSlash' middleware will be applied to page routes, creating a catch-all path that can match arbitrary domains. Once the application is running, an attacker can craft a link that exploits the open redirect vulnerability by including a protocol-relative URL that points to a malicious site.

Remediation

Users are advised to update Qwik City to version 1.19.0 or later, where this vulnerability has been patched.