Qwik and Qwik City Prototype Pollution Vulnerability in Form Processing

A prototype pollution vulnerability has been identified in the Qwik framework, specifically within the Qwik City middleware, in versions prior to 1.19.0. The issue arises in the formToObj() function, which converts form data into nested objects by interpreting field names with dot notation. However, the function does not properly sanitize certain property names, such as __proto__, constructor, and prototype. This oversight enables unauthenticated attackers to send manipulated HTTP POST requests that can corrupt Object.prototype. The consequences of this vulnerability include potential privilege escalation, authentication bypass, or denial-of-service. The vulnerability has been patched in version 1.19.0.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject dangerous keys into parsed objects. This can lead to various issues, including privilege escalation, authentication bypass, denial-of-service, or other failures in global application integrity, depending on how the polluted objects are handled.

Reproduction

The vulnerability can be reproduced by sending a POST request with FormData that includes field names designed to exploit the prototype pollution flaw. The formToObj() function will process these names, leading to the injection of harmful properties into the Object.prototype.

Remediation

Users can upgrade to Qwik version 1.19.0 or later to address this vulnerability.