CVE-2026-32701 is a type confusion vulnerability in the Qwik JavaScript framework (versions prior to 1.19.2) related to how FormData is parsed when handling application/x-www-form-urlencoded or multipart/form-data requests. Qwik City converts dotted field names (e.g., items.0, items.1) into nested data structures, inferring arrays from these dotted keys. However, if an attacker submits a mixture of array-index keys and object-property keys for the same path—such as items.toString, items.push, items.valueOf, or items.length—this can cause user-controlled properties to be written onto values that the application expects to be arrays. This leads to type confusion, where the data type of a variable is not what the application logic expects. The consequences include malformed array states, oversized array lengths, and potential denial of service due to request handling failures or crashes in downstream code that relies on the array structure. The vulnerability does not impact confidentiality or integrity directly but severely impacts availability by causing application failures. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The issue was addressed and fixed in Qwik version 1.19.2 by correcting the parsing logic to prevent incompatible type assignments during FormData processing.

This vulnerability can cause denial of service conditions in web applications using vulnerable Qwik versions by corrupting internal data structures during request parsing. Applications may crash or behave unpredictably when processing specially crafted form submissions, leading to downtime and degraded user experience. Since exploitation requires no authentication and can be performed remotely, attackers can disrupt services at scale. Although it does not directly expose sensitive data or allow code execution, the resulting instability can be leveraged as part of larger attack campaigns to degrade service availability or bypass certain logic checks relying on array structures. Organizations relying on Qwik for performance-focused web applications risk significant operational impact, especially those with high traffic or critical uptime requirements. The vulnerability also increases the attack surface for chained exploits that may leverage denial of service conditions to facilitate further compromise.

The primary mitigation is to upgrade all Qwik framework instances to version 1.19.2 or later, where the parsing logic flaw has been corrected. Additionally, developers should implement strict input validation and sanitization on form data, especially for dotted field names and array-like structures, to prevent injection of unexpected keys. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious form submissions containing mixed array-index and object-property keys can provide a temporary protective layer. Monitoring application logs for anomalies in form data processing and unusual request patterns can help detect exploitation attempts. Developers should also review downstream code that processes parsed form data to ensure robust type checking and error handling to mitigate the impact of malformed inputs. Finally, adopting a defense-in-depth approach by isolating critical components and limiting the impact of denial of service conditions is recommended.