Server Action Error Handling Flaw in Qwik Framework by Builder.io
CVE-2025-53620

9.2CRITICAL

Key Information:

Vendor: Qwikdev
Status: Qwik
Vendor: CVE Published:; 9 July 2025

What is CVE-2025-53620?

The Qwik framework by Builder.io has a flaw that arises during the execution of Qwik Server Action QRLs, which dynamically load necessary files. When an invalid 'qfunc' parameter is provided, this results in an improperly handled error which causes the Node.js environment to crash, leading to potential service disruption. This issue has been addressed in version 1.13.0.

Affected Version(s)

qwik < 1.13.0

References

https://github.com/QwikDev/qwik/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025
Vulnerability Reserved
Jul 7, 2025

Qwikdev

What is CVE-2025-53620?

Affected Version(s)

References

CVSS V4

Timeline