Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN245
_____________________________________________________________________

DATE                : 03/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running qwik (npm) versions prior to
                                        1.19.1.

=====================================================================
https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm
_____________________________________________________________________


Unauthenticated RCE via server$ Deserialization
Critical
wmertens published GHSA-p9x5-jp3h-96mm Mar 2, 2026

Package
@builder.io/qwik (npm)

Affected versions
<=1.19.0

Patched versions
1.19.1


Description

Summary

qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization
vulnerability in the server$ RPC mechanism that allows any
unauthenticated user to execute arbitrary code on the server with
a single HTTP request. Affects any deployment where require() is
available at runtime.


Impact

    Remote Code Execution


Severity
Critical
9.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-27971

Weaknesses
Weakness CWE-502

Credits

    @sebastianosrt sebastianosrt Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================