CVE-2026-25150

Description

### Summary A Prototype Pollution vulnerability exists in the `formToObj()` function within `@builder.io/qwik-city` middleware. The function processes form field names with dot notation (e.g., `user.name`) to create nested objects, but fails to sanitize dangerous property names like `__proto__`, `constructor`, and `prototype`. This allows unauthenticated attackers to pollute `Object.prototype` by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. ### Impact An unauthenticated attacker can supply specially crafted form field names that cause formToObj() to write dangerous keys (for example __proto__, constructor, prototype) into parsed objects. This results in Prototype Pollution of the server process and can cause privilege escalation, auth bypass, denial-of-service, or other global application integrity failures depending on how objects are used.

How to fix CVE-2026-25150

To remediate CVE-2026-25150, upgrade the affected package to a fixed version below.

• —upgrade to 1.19.0 or later

Is CVE-2026-25150 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.19.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-25150
• PATCHgithub.com/QwikDev/qwik
• WEBgithub.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7
• WEBgithub.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq