Listen to this Post
This vulnerability exists within the CSRF protection middleware of the Qwik City framework. The security mechanism relies on correctly verifying the `Content-Type` header of incoming HTTP requests to determine if CSRF checks should be applied. The function `isContentType()` uses a regular expression to parse this header. Due to a typo in this regex, it fails to correctly match headers that include parameters, such as multipart/form-data; boundary=something. The regex likely expects a strict match without considering the potential semicolon and additional key-value pairs following the primary media type. Consequently, a request with a parameterized `Content-Type` header is incorrectly classified as not requiring a CSRF check. An attacker can craft a malicious form submission or API request targeting a Qwik City application, setting the `Content-Type` to `multipart/form-data` with any boundary parameter. The flawed validation logic allows the request to bypass the Origin check, enabling a Cross-Site Request Forgery attack where the attacker’s page can trigger unauthorized state-changing actions on behalf of an authenticated user.
Platform: Qwik City
Version: Pre-1.6.x
Vulnerability: CSRF Bypass
Severity: Moderate
Date: 2026-02-03
Prediction: 2026-02-10
What Undercode Say:
git clone https://github.com/QwikDev/qwik grep -r "isContentType" --include=".ts" --include=".js" curl -X POST https://victim.app/form -H "Content-Type: multipart/form-data; boundary=malicious" --data-binary $'--malicious\r\nContent-Disposition: form-data; name="action"\r\n\r\ndelete_account\r\n--malicious--\r\n'
// Example of flawed regex logic
function isContentType(request, type) {
const contentType = request.headers.get('content-type');
// Incorrect regex that fails on parameters
return new RegExp(<code>^${type}</code>).test(contentType); // Should account for optional '; charset=utf-8' etc.
}
How Exploit:
Craft HTML form with `enctype=”multipart/form-data”` targeting vulnerable endpoint. Trick authenticated user into submitting it.
Protection from this CVE:
Update to patched version (e.g., 1.6.1). Implement additional anti-CSRF tokens.
Impact:
Unauthorized form submissions. Account takeover. Data manipulation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

