CVE-2026-25150
Published: 03 February 2026
Summary
CVE-2026-25150 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Qwik Qwik. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of known vulnerabilities like this prototype pollution flaw fixed in Qwik version 1.19.0.
Mandates validation and sanitization of form inputs to block dangerous property names such as __proto__ and constructor.
Prevents unauthorized modification of shared system resources like Object.prototype via tainted inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes unauthenticated remote exploitation of a public-facing Qwik middleware component via crafted POST requests (T1190); successful prototype pollution enables privilege escalation and authentication bypass (T1068).
NVD Description
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails…
more
to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.
Deeper analysisAI
CVE-2026-25150 is a prototype pollution vulnerability in the Qwik JavaScript framework, specifically affecting the formToObj() function within the @builder.io/qwik-city middleware prior to version 1.19.0. The function parses form field names using dot notation (e.g., user.name) to build nested objects but does not sanitize dangerous property names such as __proto__, constructor, and prototype. This flaw, classified under CWE-1321, carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L), highlighting its critical severity due to network accessibility, low attack complexity, and no privileges required.
Unauthenticated attackers can exploit this vulnerability by sending crafted HTTP POST requests with malicious form data that pollutes Object.prototype. Successful exploitation may enable privilege escalation, authentication bypass, or denial of service, depending on the application's downstream logic that relies on the polluted prototype properties.
The issue has been addressed in Qwik version 1.19.0, as detailed in the GitHub security advisory (GHSA-xqg6-98cw-gxhq) and the patching commit (5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7). Security practitioners should upgrade to the fixed version and review applications using @builder.io/qwik-city middleware for exposure.
Details
- CWE(s)