Qwik City, CSRF Protection Bypass, Moderate Severity

Listen to this Post

The vulnerability in Qwik City arises from inconsistent server-side handling of HTTP request headers during CSRF validation. Specifically, the checkCSRF function fails to properly parse and validate Content-Type headers when they are malformed or contain multiple values. An attacker can craft HTTP requests with specially designed Content-Type headers, such as “application/x-www-form-urlencoded, text/plain” or using header injection techniques, to bypass Origin-based CSRF checks. This exploitation requires that CORS preflight requests succeed, meaning it is only effective if the application accepts cross-origin requests or when accessed via non-browser clients. The server’s CORS and cookie policies dictate the impact, but in vulnerable configurations, this allows unauthorized state changes on behalf of authenticated users. The issue stems from lenient header interpretation in Qwik City’s request handler, which can be manipulated to circumvent CSRF protections designed to prevent cross-site request forgery attacks.
Platform: Qwik City
Version: All versions
Vulnerability: CSRF Protection Bypass
Severity: Moderate
Date: Feb 3 2026

Prediction: Patch expected soon

What Undercode Say:

Analytics:

curl -X POST https://target.com/api -H “Content-Type: application/x-www-form-urlencoded, text/plain” -d “csrf_bypass=1”
curl -v -H “Content-Type: malformed” https://target.com/form

nmap -p 443 –script http-csrf target.com

How Exploit:

Craft multi-valued Content-Type headers to bypass CSRF checks during cross-origin requests.

Protection from this CVE:

Update Qwik City, implement strict header validation, deny suspicious preflights.

Impact:

Unauthorized state changes, data manipulation risks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top