CVE-2026-25148: When "Resumability" Becomes "Exploitability" in Qwik SSR
Vulnerability ID: CVE-2026-25148
CVSS Score: 5.3
Published: 2026-02-03
In the race for sub-millisecond page loads, the Qwik framework forgot one of the oldest rules in the book: never trust user input. CVE-2026-25148 describes a logic flaw in Qwik's SSR engine where metadata used for 'resumability' is serialized into HTML comments without escaping. By injecting a simple comment terminator, attackers can trick the browser into rendering malicious scripts directly from the server response. It’s a classic injection vulnerability wrapped in modern architectural complexity.
TL;DR
Qwik versions prior to 1.19.0 failed to escape input when serializing state into HTML comments during Server-Side Rendering (SSR). Attackers can inject --> to break out of the comment context and execute arbitrary JavaScript (XSS) in the victim's browser.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-79 (Cross-site Scripting)
- CVSS v4.0: 5.3 (Medium)
- Attack Vector: Network
- EPSS Score: 0.10%
- Fix Version: 1.19.0
- Exploit Maturity: Proof of Concept
Affected Systems
- Qwik Framework < 1.19.0
-
Qwik: < 1.19.0 (Fixed in:
1.19.0)
Code Analysis
Commit: fe2d923
fix(ssr): proper escaping of virtual attributes and keys
+ text += ' ' + (value === '' ? prop : prop + '="' + escapeValue(value) + '"');
- text += ' ' + (value === '' ? prop : prop + '=' + value);
Exploit Details
- Regression Test: Official regression test demonstrating comment breakout via slot names.
Mitigation Strategies
- Input Sanitization
- Context-Aware Output Encoding
- Library Updates
Remediation Steps:
- Upgrade the
qwikpackage to version 1.19.0 or higher. - Audit code for usages of user input in dynamic object keys or slot names.
- Implement Content Security Policy (CSP) to restrict script sources.
References
Read the full report for CVE-2026-25148 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)