chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security]#32
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security]#32renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Author
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
|
40e6c4c to
23679da
Compare
e502953 to
e1d7e8b
Compare
e1d7e8b to
02c76bb
Compare
02c76bb to
d27c4fa
Compare
d27c4fa to
55ff20d
Compare
55ff20d to
2fce942
Compare
2fce942 to
51e4a60
Compare
51e4a60 to
3784afd
Compare
3784afd to
7391d1d
Compare
7391d1d to
7660d51
Compare
2b009bf to
8851645
Compare
8851645 to
ea7a297
Compare
1688706 to
0377f96
Compare
0377f96 to
8b5afc3
Compare
8b5afc3 to
cbe294e
Compare
cbe294e to
3a3c9e4
Compare
auto-merge was automatically disabled
March 27, 2026 02:17
Pull request was closed
b2f14b2 to
7955f14
Compare
7955f14 to
de3c8f2
Compare
auto-merge was automatically disabled
April 27, 2026 17:53
Pull request was closed
de3c8f2 to
f0e5b51
Compare
b7d84af to
be5de38
Compare
af3fe55 to
31ccb1a
Compare
31ccb1a to
de69fba
Compare
de69fba to
3ec00c2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.8.0→1.19.2Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests
CVE-2025-53620 / GHSA-qr9h-j6xg-2j72
More information
Details
Summary
Possibility to craft a request that will crash the Qwik Server in the default configuration.
Details
When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit.
PoC
pnpm create qwik@latestpnpm run previewHere the
qfuncquery parameter,X-Qrlheader and payload need to have the same qrl.The Qwik Server will then crash with the message
The same can also be repeated running Qwik in production using express.
pnpm create qwik@latestpnpm run qwik add expresspnpm run buildpnpm run serveImpact
Any Qwik Server instance running the default configuration can be crashed. Using a simple loop to send this HTTP request will cause permanent down time of the service as it takes a few seconds for an instance to restart.
There is also the issue that this can happen without a malicious attacker.
When a Qwik Application is deployed through a CDN and an old instance is still loaded on some Client, like through an inactive Tab. Once that user returns to the old Version and performs an action that runs a removed qfunc the server will crash.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik SSR XSS via Unsafe Virtual Node Serialization
CVE-2026-25148 / GHSA-m6jq-g7gq-5w3c
More information
Details
Summary
Description
A Cross-site Scripting (CWE-79) vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.
Impact
This vulnerability impacts applications that dynamically populate Virtual Node attributes with keys/values that users can influence. Applications that hard-code these keys/values are unaffected.
Qwik doesn't use traditional hydration. Instead, it serializes application state into the HTML so the client can resume execution from the server-rendered output. To support this, Qwik v1 marks component boundaries with HTML comments. SSR builds comment content for Virtual components by concatenating structural attribute names and values without any escaping or quoting. An attacker-controlled key or value can prematurely close the HTML comment and inject arbitrary HTML/JS.
Successful exploitation permits script execution in a victim’s browser in the context of the affected origin. Additionally, because Qwik uses these serialized comment markers for resumability, breaking comment structure can lead to resume/hydration desync and unexpected client-side behavior.
Patches
This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Prototype Pollution via FormData Processing in Qwik City
CVE-2026-25150 / GHSA-xqg6-98cw-gxhq
More information
Details
Summary
A Prototype Pollution vulnerability exists in the
formToObj()function within@builder.io/qwik-citymiddleware. The function processes form field names with dot notation (e.g.,user.name) to create nested objects, but fails to sanitize dangerous property names like__proto__,constructor, andprototype. This allows unauthenticated attackers to polluteObject.prototypeby sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.Impact
An unauthenticated attacker can supply specially crafted form field names that cause formToObj() to write dangerous keys (for example proto, constructor, prototype) into parsed objects. This results in Prototype Pollution of the server process and can cause privilege escalation, auth bypass, denial-of-service, or other global application integrity failures depending on how objects are used.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
CVE-2026-25151 / GHSA-r666-8gjf-4v5f
More information
Details
Summary
Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.
Impact
A vulnerability in checkCSRF lets an attacker bypass Origin-based CSRF checks by using malformed or multi-valued Content-Type headers. Exploitation requires the CORS preflight to succeed (so it’s blocked if preflight is denied) and is possible when the application accepts cross-origin requests or via non-browser clients. Impact varies with server CORS and cookie policies and may enable unauthorized state changes.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik City Open Redirect via fixTrailingSlash
CVE-2026-25149 / GHSA-92j7-wgmg-f32m
More information
Details
Summary
Description
An Open Redirect (CWE-601) vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.
Impact
Qwik City automatically applies the
fixTrailingSlashmiddleware to page routes to ensure URL consistency. This vulnerability impacts all Qwik City applications deployed to runtimes that have a catch-all path to match arbitrary domains and that do not automatically normalize URL paths (e.g. Bun).Exploitation allows an attacker to craft links that trigger a 301 redirect to arbitrary protocol-relative URLs. Browsers interpret this Location header as a protocol-relative URL, redirecting the user to attacker-controlled domains. This can enable phishing attacks and token theft among other common open redirect exploits.
Patches
This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
CVE-2026-25155 / GHSA-vm6g-8r4h-22x8
More information
Details
Summary
A typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers.
Impact
An attacker can bypass Qwik City’s Origin-based CSRF protections and perform forged form submissions, potentially causing unauthorized state changes.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Qwik City has array method pollution in FormData processing allows type confusion and DoS
CVE-2026-32701 / GHSA-whhv-gg5v-864r
More information
Details
Summary
Qwik City improperly inferred arrays from dotted form field names during
FormDataparsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays.Description
When processing
application/x-www-form-urlencodedormultipart/form-datarequests, Qwik City converted dotted field names such asitems.0anditems.1into nested structures. If a path was interpreted as an array, additional attacker-controlled keys on the same path, such asitems.toString,items.push,items.valueOf, oritems.length, could alter the resulting server-side value in unexpected ways.Applications that assumed these parsed values were safe arrays could be affected. Depending on application behavior, this could lead to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code.
This issue affects form parsing in Qwik City request handling. It does not require authentication if the vulnerable route is publicly reachable.
Impact
An attacker can send crafted form submissions that cause parsed input to differ from the application’s expected shape. Possible outcomes include:
There is no direct evidence that this issue enables confidentiality or integrity impact by itself; the primary risk is denial of service and application instability.
Patched Versions
Patched in 1.19.2.
Workarounds
Until patched, avoid trusting parsed form data to be a well-formed array when using dotted field names, and validate or normalize action input before using array methods or relying on array shape.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
QwikDev/qwik (@builder.io/qwik-city)
v1.19.2Compare Source
Patch Changes
🐞🩹 When a form POST is done, keys like "name.1" mean it's an array. However, later keys could be strings like "name.value". Now, we check if all the keys are numbers, otherwise we make an object instead of an array. This allows for more correct form data handling. (by @wmertens in #8424)
🐞🩹 handle special characters in dynamic route (by @gioboa in #8400)
v1.19.1Compare Source
Patch Changes
🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @ianlet in #8385)
🐞🩹 Link hash change now properly updates location.url.hash (by @maiieul in #8305)
v1.19.0Compare Source
Minor Changes
QwikCityMockProvider(by @alexismch in #8102)Patch Changes
🐞🩹 qwik-city spa routeStateInternal and routeLocation url origins mismatch (by @maiieul in #8234)
feat(qwik-city): add getOrigin option to QwikCityBunOptions and QwikCityDenoOptions for improved URL handling (by @JerryWu1234 in #8251)
Make RequestEvents readonly instead of frozen (by @DustinJSilk in #8135)
v1.18.0Compare Source
Patch Changes
v1.17.2Compare Source
Patch Changes
🐞🩹 history behavior in some edge cases has been brought inline with the E2E tests that were accidentally disabled. (the tests can't be disabled any more either) (by @wmertens in
206f3e0)🐞🩹 SPA routing is broken unless origin matches value in in vite.config #8093 (by @termermc in #8097)
If the SSG origin was set to
localhost:3000and a user visited from127.0.0.1:3000, SPA routing would be broken.Internally, useNavigate's context provider
gotochecks the new destination with the last route location. If theorigin is different, it just does a normal browser navigation. This makes sense; links to other origins cannot use
SPA routing. However, the initial route it compares was using an origin that came from the server environment.
Now, the first navigation will set that initial route to the browser's actual href, eliminating the erroneous
origin mismatch for SPA navigations.
🐞🩹
thisin various Qwik-City handlers is nowRequestEventagain. (by @wmertens in #8111)v1.17.1Compare Source
Patch Changes
zodis now imported asimport * as z from 'zod', which vastly improves bundling. The Insights app client code reduced by 12kB. (by @wmertens in #8042)v1.17.0Compare Source
Patch Changes
🐞🩹 SSG sometimes hangs after completion, now we forcibly exit the SSG process when this happens. (by @wmertens in #7957)
🐞🩹 return 404 for missing /build/ files. (by @gioboa in #7914)
🐞🩹 redirecting internal q-data.json requests will keep the q-data.json suffix so that the client can still fetch the correct one (by @wmertens in #7988)
🐞🩹 solve type error when using async _resolved function (by @JerryWu1234 in #7426)
🐞🩹 while prefetching Link data, don't navigate to captive portals (by @wmertens in #7988)
v1.16.1Compare Source
Patch Changes
🐞🩹 fix behaviour of checkOrigin: "lax-proto" in createQwikCity (by @asaharan in #7865)
🛠 Add check-client command to verify bundle freshness (by @JerryWu1234 in #7517)
🐞🩹 return 404 with invalid URL. (by @gioboa in #7902)
✨ All qwik packages are now marked as side effect free in their package.json. This should remove a few unecessary empty imports added by rollup and then not tree-shaken like
import "./preloader.js". (by @maiieul in #7908)✨ SPA Link navigation now preloads the next route bundles on click with maximum probability, speeding up SPA navigation. (by @maiieul in #7849)
🐞🩹 Your service-worker.js won't be unregistered anymore if you added custom logic to it. (by @maiieul in #7872)
v1.16.0Compare Source
Minor Changes
Patch Changes
🐞🩹 Keeping the service worker components now properly unregisters them. (by @maiieul in #7781)
🐞🩹 redirects no longer take their parent layout's Cache-Control value by default and are instead set to
no-store. This prevents issues in redirection logic. We might introduce another API to enable caching redirects in the future. (by @maiieul in #7811)🐞🩹 Keeping the service worker components now also removes their associated Cache storage. (by @maiieul in #7782)
v1.15.0Compare Source
Minor Changes
✨ Added rewrite() to the RequestEvent object. It works like redirect but does not change the URL, (by @omerman in #7562)
think of it as an internal redirect.
Example usage:
Patch Changes
🐞🩹 Change Content-Type header in qwik requests to respect RFC 7231 (by @joaomaridalho in #7690)
🐞🩹 link/useNavigate with query params don't override loader/middleware redirect with query params anymore. (by @maiieul in #7733)
🐞🩹 allow cross-protocol requests from the same domain (by @gioboa in #7693)
🛠 update devDependencies and configurations (by @JerryWu1234 in #7695)
🐞🩹 Duplicate ServerError class during dev mode (by @wmertens in #7724)
v1.14.1Compare Source
v1.14.0Compare Source
Minor Changes
🐞🩹 qwik-city no longer forces
q-data.jsondownloads, instead relying on the cache headers. This means that you have to make sure yourq-data.jsonis served withCache-Controlheaders that suit you. That file contains all the information about the route and is read for each qwik-city navigation. By default the data is cached for one hour. (by @wmertens in #7537)🛠 the service workers have been deprecated and replaced with entries that unregister them. If you have it enabled in production, you can remove it after a while once you are sure all your users have the new version. (by @wmertens in #7453)
Patch Changes
🐞🩹 linting errors which were previously being ignored across the monorepo. (by @better-salmon in #7418)
🐞🩹 Link SPA subsequent navigation now properly prefetch the next routes. (by @maiieul in #7590)
🐞🩹 SPA Link now handle subsequent onQVisible$ passed as props. (by @maiieul in #7612)
v1.13.0Compare Source
Minor Changes
🐞🩹 server$ errors can be caught by @plugin middleware (by @DustinJSilk in #7185)
refactor: Error types are standardised across server$ functions and routeLoaders (by @DustinJSilk in #7185)
✨ 499 is now a valid status code (by @DustinJSilk in #7185)
🐞🩹 server$ functions now correctly throw 4xx errors on the client (by @DustinJSilk in #7185)
Patch Changes
🐞🩹 Error boundary
ErrorBoundaryand fixuseErrorBoundary(by @damianpumar in #7342)🐞🩹 Write Response object in the send request event even on redirects (by @nelsonprsousa in #7422)
v1.12.1Compare Source
Patch Changes
🐞🩹 MDX content now accepts a prop of type
componentsthat lets you use your own custom components (by @double-thinker in #7277)To add custom components to your MDX content, you can now do this:
You can also use props in JS expressions. See https://mdxjs.com/docs/using-mdx/#props
🐞🩹 mdx not rendering (by @shairez in #7168)
📃 added a "Qwik for Mobile" guide to build iOS and Android Qwik apps (by @srapport in #7205)
🐞🩹 some qrls weren't fetched correctly on page load (by @shairez in #7286)
v1.12.0Compare Source
Patch Changes
🐞🩹 the previous URL now is undefined on first render. (by @damianpumar in #7082)
🐞🩹 server$ functions now correctly throw errors for > 500 error codes (by @DustinJSilk in #7078)
v1.11.0Compare Source
v1.10.0Compare Source
Patch Changes
🐞🩹 MDX content no longer ignores Layout components. See the MDX docs for more information. (by @danielvaijk in #6845)
🐞🩹 SSG errors now show the path that failed (by @wmertens in #6998)
🐞🩹 Fixed action redirect regression where searchParams were appended (by @brandonpittman in #6927)
🐞🩹 Redirect, error, and fail request events no longer forcefully delete user-defined Cache-Control HTTP header value. (by @nelsonprsousa in #6991)
🐞🩹
viteis now a peer dependency ofqwik,qwik-city,qwik-reactandqwik-labs, so that there can be no duplicate imports. This should not have consequences, since all apps also directly depend onvite. (by @wmertens in #6945)🐞🩹 Fixed MDX layout default export being ignored by transformer. (by @danielvaijk in #6845)
🐞🩹 Prevent unexpected caching for q-data.json (by @genki in #6808)
🐞🩹 Multiple rewrite routes pointing to the same route is no longer an error. (by @JerryWu1234 in #6970)
v1.9.1Compare Source
Patch Changes
noSPA. (by @wmertens in #6937)This disables history patching, slightly reducing code size and startup time. Use this when your application is MPA only, meaning you don't use the Link component. To enable this, add it to the
experimentalarray of theqwikViteplugin (not theqwikCityplugin).v1.9.0Compare Source
Minor Changes
✨ (EXPERIMENTAL) valibot$ validator and a fix for zod$ types. (by @fabian-hiller in #6752)
To use it, you need to pass
experimental: ['valibot']as an option to theqwikViteplugin as such:✨ (EXPERIMENTAL)
usePreventNavigatelets you prevent navigation while your app's state is unsaved. It works asynchronously for SPA navigation and falls back to the browser's default dialogs for other navigations. To use it, addexperimental: ['preventNavigate']to yourqwikViteoptions. (by @wmertens in #6825)Patch Changes
🐞🩹 added .ico to be detected by isStaticFile (by @intellix in #6860)
🐞🩹 fixed delays caused from inefficient Service Worker prefetching (buffering) (by @shairez in #6863)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.