CVE-2025-53620

CRITICAL

@builder.io/qwik-city <1.13.0 - DoS

Title source: llm

Description

@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerability is fixed in 1.13.0.

References (1)

[Vendor Advisory] https://github.com/QwikDev/qwik/security/advisories/GHSA-qr9h-j6xg-2j72

Scores

CVSS v4 9.2

EPSS 0.0004

EPSS Percentile 12.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-248

Status published

Products (2)

builder.io/qwik-city 0 - 1.13.0npm

QwikDev/qwik < 1.13.0

Published Jul 09, 2025

Tracked Since Feb 18, 2026