DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32701: CVE-2026-32701: Array Method Pollution and Denial of Service in Qwik City Middleware

#security #cve #cybersecurity

CVE-2026-32701: Array Method Pollution and Denial of Service in Qwik City Middleware

Vulnerability ID: CVE-2026-32701
CVSS Score: 7.5
Published: 2026-03-20

Qwik City middleware versions prior to 1.19.2 contain an array method pollution vulnerability within the form parsing component. Unauthenticated remote attackers can overwrite native array methods via crafted multipart or URL-encoded HTTP requests, resulting in type confusion and server-side Denial of Service (DoS).

TL;DR

A structural flaw in Qwik City's form parser allows attackers to overwrite native array methods by mixing numeric and string keys in dotted form paths, leading to unhandled TypeErrors and Denial of Service.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-843
  • Secondary CWE: CWE-1321
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5
  • Impact: Denial of Service
  • EPSS Score: 0.00053
  • Exploit Status: Proof of Concept

Affected Systems

  • Qwik
  • qwik-city middleware
  • Qwik (qwik-city): < 1.19.2 (Fixed in: 1.19.2)

Code Analysis

Commit: 7b5867c

Security patch fixing array method pollution in formToObj via two-pass parsing and Object.create(null).

Exploit Details

  • Vendor Advisory: Functional proof-of-concept demonstrating array method pollution in qwik-city form parser.

Mitigation Strategies

  • Upgrade qwik-city middleware to version 1.19.2 or later.
  • Implement WAF rules rejecting dotted form parameters targeting array prototype methods.
  • Ensure robust error handling to catch unhandled TypeErrors and prevent server termination.

Remediation Steps:

  1. Identify all projects utilizing Qwik and the qwik-city middleware component.
  2. Update the @builder.io/qwik-city dependency in package.json to >=1.19.2.
  3. Execute npm install or yarn install to apply the updated package.
  4. Rebuild and deploy the application.
  5. Verify the fix by sending the PoC payload to a form endpoint and confirming a 200 OK or handled validation error instead of a 500 crash.

References

Read the full report for CVE-2026-32701 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)