CVE-2026-32701
Type Confusion in Qwik FormData Parsing Causes DoS
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qwik | qwik | to 1.19.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability affects Qwik City versions prior to 1.19.2 and involves improper parsing of form data keys that represent arrays. When processing form submissions with dotted field names like "items.0" and "items.1", Qwik City tries to convert these into nested array structures. However, if an attacker submits mixed keys combining array indices and object properties on the same path (for example, "items.toString", "items.push", "items.valueOf", or "items.length"), the framework incorrectly writes user-controlled properties onto values expected to be arrays.'}, {'type': 'paragraph', 'content': 'This leads to malformed or unsafe data structures, causing type confusion and unexpected behavior in the application. The vulnerability allows an attacker to manipulate the server-side data structure by mixing array and object keys, which can cause request handling failures or denial of service.'}, {'type': 'paragraph', 'content': 'The issue was fixed by improving the parsing logic to only treat keys as arrays if all keys under a given path are valid non-negative integer indices, and by filtering out dangerous keys that could lead to prototype pollution.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by causing application instability and denial of service (DoS). Specifically, by submitting crafted form data with mixed array and object keys, an attacker can cause malformed array states, inflated array lengths, or type confusion in downstream code that expects well-formed arrays.
This can lead to unexpected runtime errors, failures in request handling, and increased server resource consumption, potentially making the application unavailable or unreliable.
The vulnerability does not require authentication and can be exploited remotely via crafted form submissions on publicly accessible routes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious or malformed form submissions that include mixed array-index and object-property keys in application/x-www-form-urlencoded or multipart/form-data requests. Specifically, look for POST requests containing dotted field names such as "items.0", "items.1" combined with keys like "items.toString", "items.push", "items.valueOf", or "items.length".'}, {'type': 'paragraph', 'content': 'To detect such attempts on your system, you can capture and inspect HTTP POST requests to your Qwik City application endpoints using network tools or web server logs.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious form data submissions include:'}, {'type': 'list_item', 'content': 'Using tcpdump or tshark to capture HTTP traffic and filter for POST requests:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'items\\.(0|1|toString|push|valueOf|length)'"}, {'type': 'list_item', 'content': 'Using grep on web server access logs to find suspicious form keys:'}, {'type': 'list_item', 'content': "grep -E 'items\\.(0|1|toString|push|valueOf|length)' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, application-level logging can be enhanced to log incoming form keys and detect mixed array and object property keys on the same path.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Qwik City to version 1.19.2 or later, where the vulnerability has been fixed by improved parsing of form data keys to correctly distinguish arrays from objects and exclude dangerous keys.
Until the upgrade can be applied, you should:
- Avoid trusting parsed form data as well-formed arrays when using dotted field names.
- Validate and normalize input data before applying array methods or relying on array structure in your application code.
- Implement input filtering or sanitization to reject or sanitize form submissions containing mixed array-index and object-property keys on the same path.
- Monitor for suspicious form submissions as described in detection steps to identify potential exploitation attempts.