Qwik Regular Expression Typo in Content-Type Parsing Vulnerability Allowing CSRF Protection Bypass
Vulnerability
A vulnerability exists in Qwik versions prior to 1.12.0 due to a typo in the regular expression used to parse Content-Type headers. This flaw leads to incorrect interpretation of certain headers, allowing an attacker to bypass Qwik City's Origin-based Cross-Site Request Forgery (CSRF) protections. As a result, forged form submissions could be executed, potentially causing unauthorized changes in application state.
Impact
Exploitation of this vulnerability allows for bypassing CSRF protections in Qwik City, leading to unauthorized form submissions and state changes.
Reproduction
The vulnerability can be reproduced by sending a request to a Qwik application using a Content-Type header that includes parameters, such as 'multipart/form-data'. The incorrect parsing will allow CSRF protections to be bypassed.
Remediation
Users can upgrade to Qwik version 1.12.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.