Listen to this Post
The vulnerability in Qwik City arises from inconsistent server-side handling of HTTP request headers during CSRF validation. Specifically, the checkCSRF function fails to properly parse and validate Content-Type headers when they are malformed or contain multiple values. An attacker can craft HTTP requests with specially designed Content-Type headers, such as “application/x-www-form-urlencoded, text/plain” or using header injection techniques, to bypass Origin-based CSRF checks. This exploitation requires that CORS preflight requests succeed, meaning it is only effective if the application accepts cross-origin requests or when accessed via non-browser clients. The server’s CORS and cookie policies dictate the impact, but in vulnerable configurations, this allows unauthorized state changes on behalf of authenticated users. The issue stems from lenient header interpretation in Qwik City’s request handler, which can be manipulated to circumvent CSRF protections designed to prevent cross-site request forgery attacks.
Platform: Qwik City
Version: All versions
Vulnerability: CSRF Protection Bypass
Severity: Moderate
Date: Feb 3 2026
Prediction: Patch expected soon
What Undercode Say:
Analytics:
curl -X POST https://target.com/api -H “Content-Type: application/x-www-form-urlencoded, text/plain” -d “csrf_bypass=1”
curl -v -H “Content-Type: malformed” https://target.com/form
nmap -p 443 –script http-csrf target.com
How Exploit:
Craft multi-valued Content-Type headers to bypass CSRF checks during cross-origin requests.
Protection from this CVE:
Update Qwik City, implement strict header validation, deny suspicious preflights.
Impact:
Unauthorized state changes, data manipulation risks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

