Critical severityNVD Advisory· Published Mar 8, 2023· Updated Mar 5, 2025

Code Injection in builderio/qwik

CVE-2023-1283

Description

Code Injection in GitHub repository builderio/qwik prior to 0.21.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@builder.io/qwiknpm	< 0.21.0	0.21.0

Affected products

Builderio/Builderio/qwikv5
Range: unspecified

Patches

4d9ba6e098ae

fix(security): Remove PureFunctionSerializer

https://github.com/builderio/qwikMiško HeveryMar 3, 2023via ghsa

commit

1 file changed · +14 −29

packages/qwik/src/core/container/serializers.ts+14 −29 modified

@@ -226,20 +226,6 @@ const ComponentSerializer: Serializer<Component<any>> = {
   },
 };
 
-const PureFunctionSerializer: Serializer<Function> = {
-  prefix: '\u0011',
-  test: (obj) => typeof obj === 'function' && obj.__qwik_serializable__ !== undefined,
-  serialize: (obj) => {
-    return obj.toString();
-  },
-  prepare: (data) => {
-    const fn = new Function('return ' + data)();
-    fn.__qwik_serializable__ = true;
-    return fn;
-  },
-  fill: undefined,
-};
-
 const SignalSerializer: Serializer<SignalImpl<any>> = {
   prefix: '\u0012',
   test: (v) => v instanceof SignalImpl,
@@ -335,21 +321,20 @@ const FormDataSerializer: Serializer<FormData> = {
 };
 
 const serializers: Serializer<any>[] = [
-  QRLSerializer,
-  SignalSerializer,
-  SignalWrapperSerializer,
-  WatchSerializer,
-  ResourceSerializer,
-  URLSerializer,
-  DateSerializer,
-  RegexSerializer,
-  ErrorSerializer,
-  DocumentSerializer,
-  ComponentSerializer,
-  PureFunctionSerializer,
-  NoFiniteNumberSerializer,
-  URLSearchParamsSerializer,
-  FormDataSerializer,
+  QRLSerializer, ////////////// \u0002
+  SignalSerializer, /////////// \u0012
+  SignalWrapperSerializer, //// \u0013
+  WatchSerializer, //////////// \u0003
+  ResourceSerializer, ///////// \u0004
+  URLSerializer, ////////////// \u0005
+  DateSerializer, ///////////// \u0006
+  RegexSerializer, //////////// \u0007
+  ErrorSerializer, //////////// \u000E
+  DocumentSerializer, ///////// \u000F
+  ComponentSerializer, //////// \u0010
+  NoFiniteNumberSerializer, /// \u0014
+  URLSearchParamsSerializer, // \u0015
+  FormDataSerializer, ///////// \u0016
 ];
 
 const collectorSerializers = /*#__PURE__*/ serializers.filter((a) => a.collect);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000