VYPR
Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 4, 2026

[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

CVE-2026-25155

Description

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@builder.io/qwik-citynpm
< 1.12.01.12.0

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.