CVE-2026-32701

Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.2

Description Qwik is a JavaScript framework where versions before 1.19.2 incorrectly interpreted arrays from dotted form field names during FormData parsing. An attacker could submit mixed array-index and object-property keys for the same path, potentially writing user-controlled properties onto values expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys—such as items.toString, items.push, items.valueOf, or items.length—could alter the server-side value unexpectedly. This could lead to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. The issue affects form parsing in Qwik City request handling and does not require authentication if the vulnerable route is publicly accessible. An attacker can send crafted form submissions that cause parsed input to differ from the application’s expected shape, potentially triggering runtime errors or causing type confusion.

Recommendations Update to Qwik version 1.19.2 or later. Avoid trusting parsed form data to be a well-formed array when using dotted field names. Validate or normalize action input before using array methods or relying on array shape.