CVE-2026-25149
Open Redirect in Qwik City Middleware Enables Phishing Attacks
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qwik | qwik | to 1.19.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Open Redirect issue in Qwik Cityβs default request handler middleware prior to version 1.19.0. It allows a remote attacker to redirect users to arbitrary protocol-relative URLs.
An attacker can exploit this by crafting links that appear to come from a trusted domain but actually redirect victims to attacker-controlled sites.
This can be used to facilitate phishing attacks by making malicious links look legitimate.
How can this vulnerability impact me? :
The vulnerability can impact you by enabling attackers to redirect your users to malicious websites without their knowledge.
This can lead to phishing attacks where users are tricked into providing sensitive information or downloading malware.
It undermines user trust in your domain and can damage your reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Qwik to version 1.19.0 or later, where the Open Redirect issue in Qwik City's default request handler middleware has been patched.