Kageshiron

**Name of the Vulnerable Software and Affected Versions** Qwik versions prior to 1.19.0 **Description** Qwik City’s server-side request handler inconsistently interprets HTTP request headers. This can be exploited by a remote attacker to bypass Cross-Site Request Forgery (CSRF) protections on forms using specifically crafted or multi-valued Content-Type headers. The `Content-Type` header is involved in this issue. **Recommendations** Update to version 1.19.0 or later.

**Name of the Vulnerable Software and Affected Versions** Astro versions prior to 4.16.17 **Description** A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. **Recommendations** For versions prior to 4.16.17, upgrade to version 4.16.17 or later to address the issue. As a temporary workaround, consider restricting the use of the `security.checkOrigin` configuration option until a patch is available. Avoid using the `Content-Type` header with a semicolon-delimited parameter in the affected API endpoints until the issue is resolved. Restrict access to the Astro middleware to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.6.5 **Description** The issue allows an attacker to bypass cross-site request forgery (CSRF) protection implemented with Hono CSRF middleware by sending a request without a Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono considers a request without a Content-Type header to be safe. This can be exploited using the fetch API, which does not add a Content-Type header for requests without a body. **Recommendations** For Hono versions prior to 4.6.5, update to version 4.6.5 to fix the issue. As a temporary workaround, consider implementing additional validation for requests without a Content-Type header to prevent bypassing CSRF protection. Restrict access to sensitive endpoints that rely on Hono's CSRF middleware until the update is applied.