RCE using bad deserialization in builderio/qwik


Reported on

Mar 3rd 2023


Qwik provides an extended serialization mechanism for exchanging data between the client and server. This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types.

The Function deserializer can be accessed using the pureServerFunction feature. This allows us to pass in any Javascript code to be run by node.js.

Proof of Concept

By sending a POST request with a content type of application/qwik-json to /q-data.json we can trigger the vulnerable deserialization.

You can see the full proof of concept here. There is a little bit of finesse required due to the execution environment.

Video here.


Full compromise of CIA on most deployments.

Will not work on Cloudflare workers, or static deployments.


The root cause

We are processing your report and will contact the builderio/qwik team within 24 hours. 19 days ago
builderio/qwik maintainer has acknowledged this report 19 days ago
Adam Bradley gave praise 19 days ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Adam Bradley validated this vulnerability 19 days ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Adam Bradley marked this as fixed in 0.21.0 with commit 4d9ba6 14 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Adam Bradley published this vulnerability 14 days ago
serializers.ts#L236 has been validated
to join this conversation