Qwik and Qwik City FormData Parsing Vulnerability Leading to Array Method Pollution

A vulnerability in Qwik and Qwik City versions prior to 1.19.2 allows for improper handling of FormData, particularly with dotted field names. This mismanagement can lead to array method pollution, where user-controlled properties are injected into values expected to be arrays. The issue arises when mixed array-index and object-property keys are submitted for the same path, disrupting the expected data structure. As a result, application code may encounter type confusion, request handling failures, or even denial-of-service conditions by manipulating array states or lengths.

Impact

Exploitation of this vulnerability can cause parsed FormData to deviate from the expected structure, leading to runtime errors when array methods are applied to manipulated values. Additionally, it can create malformed array structures that increase server workload or memory usage, causing application instability. While the primary risk is a denial-of-service, there is no direct evidence of confidentiality or integrity impacts from this vulnerability.

Reproduction

The vulnerability can be reproduced by sending a POST request with 'application/x-www-form-urlencoded' or 'multipart/form-data' content type. Include mixed array-index keys (like 'items.0' and 'items.1') and object-property keys (such as 'items.toString' or 'items.length') for the same path. This will cause Qwik to interpret the data incorrectly, allowing for the injection of properties into arrays.

Remediation

Users can update to Qwik and Qwik City version 1.19.2 or later, where this vulnerability has been patched.