@builder.io/qwik, is vulnerable to Code Injection. The vulnerability is caused by the PureFunctionSerializer
function in serializers.ts
due to a lack of sanitization when deserializing data types, which allows an attacker to inject and execute malicious JavaScript into the server.
gist.github.com/OhB00/1969229a0d1d87f70f06e79bf1816ca6
github.com/advisories/GHSA-9wf9-qvvp-2929
github.com/builderio/qwik/commit/4d9ba6e098ae6e537aa55abb6b8369bb670ffe66
github.com/BuilderIO/qwik/pull/3249
github.com/BuilderIO/qwik/pull/3249/commits/4d9ba6e098ae6e537aa55abb6b8369bb670ffe66
huntr.dev/bounties/63f1ff91-48f3-4886-a179-103f1ddd8ff8