Cyber Resilience

CVE-2026-25150

Critical

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
EPSS Score 0.0062 45.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25150 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Qwik Qwik. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25150 is a prototype pollution vulnerability in the Qwik JavaScript framework, specifically affecting the formToObj() function within the @builder.io/qwik-city middleware prior to version 1.19.0. The function parses form field names using dot notation (e.g., user.name) to build nested objects but does not sanitize dangerous property names such as __proto__, constructor, and prototype. This flaw, classified under CWE-1321, carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L), highlighting its critical severity due to network accessibility, low attack complexity, and no privileges required.

Unauthenticated attackers can exploit this vulnerability by sending crafted HTTP POST requests with malicious form data that pollutes Object.prototype. Successful exploitation may enable privilege escalation, authentication bypass, or denial of service, depending on the application's downstream logic that relies on the polluted prototype properties.

The issue has been addressed in Qwik version 1.19.0, as detailed in the GitHub security advisory (GHSA-xqg6-98cw-gxhq) and the patching commit (5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7). Security practitioners should upgrade to the fixed version and review applications using @builder.io/qwik-city middleware for exposure.

EU & UK References

Vulnerability details

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails…

more

to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE directly describes unauthenticated remote exploitation of a public-facing Qwik middleware component via crafted POST requests (T1190); successful prototype pollution enables privilege escalation and authentication bypass (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32701Same product: Qwik Qwik
CVE-2026-27971Same product: Qwik Qwik
CVE-2026-25155Same product: Qwik Qwik
CVE-2025-25015Shared CWE-1321
CVE-2026-42231Shared CWE-1321
CVE-2026-29063Shared CWE-1321
CVE-2024-57077Shared CWE-1321
CVE-2026-41690Shared CWE-1321
CVE-2026-44483Shared CWE-1321
CVE-2026-32621Shared CWE-1321

Affected Assets

qwik
qwik
≤ 1.19.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of known vulnerabilities like this prototype pollution flaw fixed in Qwik version 1.19.0.

prevent

Mandates validation and sanitization of form inputs to block dangerous property names such as __proto__ and constructor.

prevent

Prevents unauthorized modification of shared system resources like Object.prototype via tainted inputs.

References