@builder.io/qwik-city 1.18.0

Direct Vulnerabilities

Known vulnerabilities in the @builder.io/qwik-city package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Access of Resource Using Incompatible Type ('Type Confusion') @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in the `FormData` function when handling `application/x-www-form-urlencoded` or `multipart/form-data` requests. An attacker can cause server-side values to be altered in unexpected ways by submitting crafted form field names that mix array indices and object-property keys for the same path. This can result in runtime errors, increased server resource consumption, or type confusion in downstream code by manipulating the structure of parsed input. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `@builder.io/qwik-city` to version 1.19.2 or higher.	<1.19.2
M Cross-site Request Forgery (CSRF) @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via inconsistent interpretation of HTTP request headers in the server-side request handler. An attacker can bypass protections by submitting specially crafted or multi-valued `Content-Type` headers. How to fix Cross-site Request Forgery (CSRF)? Upgrade `@builder.io/qwik-city` to version 1.19.0 or higher.	<1.19.0
M Open Redirect @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Open Redirect via the `fixTrailingSlash` middleware. An attacker can redirect users to arbitrary protocol-relative URLs by crafting malicious links that appear to originate from a trusted domain. How to fix Open Redirect? Upgrade `@builder.io/qwik-city` to version 1.19.0 or higher.	<1.19.0
C Prototype Pollution @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Prototype Pollution via the `formToObj` function, which processes form field names with dot notation but does not properly sanitize dangerous property names. An attacker can modify the prototype of built-in objects by sending crafted HTTP POST requests containing malicious form field names, potentially resulting in privilege escalation, authentication bypass, or application disruption. How to fix Prototype Pollution? Upgrade `@builder.io/qwik-city` to version 1.19.0 or higher.	<1.19.0

Vulnerability

Vulnerable Version

Access of Resource Using Incompatible Type ('Type Confusion')

@builder.io/qwik-city is a The meta-framework for Qwik.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in the FormData function when handling application/x-www-form-urlencoded or multipart/form-data requests. An attacker can cause server-side values to be altered in unexpected ways by submitting crafted form field names that mix array indices and object-property keys for the same path. This can result in runtime errors, increased server resource consumption, or type confusion in downstream code by manipulating the structure of parsed input.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade @builder.io/qwik-city to version 1.19.2 or higher.

<1.19.2

Cross-site Request Forgery (CSRF)

@builder.io/qwik-city is a The meta-framework for Qwik.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via inconsistent interpretation of HTTP request headers in the server-side request handler. An attacker can bypass protections by submitting specially crafted or multi-valued Content-Type headers.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade @builder.io/qwik-city to version 1.19.0 or higher.

<1.19.0

Open Redirect

@builder.io/qwik-city is a The meta-framework for Qwik.

Affected versions of this package are vulnerable to Open Redirect via the fixTrailingSlash middleware. An attacker can redirect users to arbitrary protocol-relative URLs by crafting malicious links that appear to originate from a trusted domain.

How to fix Open Redirect?

Upgrade @builder.io/qwik-city to version 1.19.0 or higher.

<1.19.0

Prototype Pollution

@builder.io/qwik-city is a The meta-framework for Qwik.

Affected versions of this package are vulnerable to Prototype Pollution via the formToObj function, which processes form field names with dot notation but does not properly sanitize dangerous property names. An attacker can modify the prototype of built-in objects by sending crafted HTTP POST requests containing malicious form field names, potentially resulting in privilege escalation, authentication bypass, or application disruption.

How to fix Prototype Pollution?

Upgrade @builder.io/qwik-city to version 1.19.0 or higher.

<1.19.0

@builder.io/qwik-city@1.18.0

The meta-framework for Qwik.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically