Qwik City Content-Type Header Vulnerability Bypasses CSRF Protections
Vulnerability
A vulnerability in Qwik City’s server-side request handler prior to version 1.19.0 allows remote attackers to bypass Cross-Site Request Forgery (CSRF) protections. This is achieved by exploiting inconsistent handling of HTTP request headers, particularly through the use of multi-valued or specially crafted Content-Type headers. The flaw can be exploited when the application accepts cross-origin requests or via non-browser clients, depending on the server's CORS and cookie policies.
Impact
Exploitation of this vulnerability allows attackers to bypass Origin-based CSRF checks, potentially leading to unauthorized state changes, depending on the application's cookie and CORS policies.
Reproduction
To reproduce this vulnerability, send a cross-origin POST request to a server using Qwik City version prior to 1.19.0. Include a Content-Type header that is either malformed or contains multiple values, such as 'application/x-www-form-urlencoded, bypass'. The request should be crafted to exploit the server's CSRF protection mechanisms, taking advantage of any accepted cross-origin policies.
Remediation
Users can upgrade to Qwik City version 1.19.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.