Swiper
CVE-2026-27212
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 10 npm packages depend on swiper (3 direct, 8 indirect)
Ecosystem-wide dependent count for version 6.5.1.
DescriptionGitHub Advisory
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
AnalysisAI
Prototype pollution in Swiper versions 6.5.1 through 12.1.1 allows local authenticated attackers to manipulate Object.prototype through improperly validated user input, enabling authentication bypass, denial of service, and remote code execution. Public exploit code exists for this vulnerability, which affects applications on Linux and Windows using Node.js or Bun runtimes. A patch is available and should be applied immediately to affected systems processing untrusted input.
Technical ContextAI
This vulnerability (CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)) affects Swiper. Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.pr
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 12.1.2..
This affects the package swiper before 6.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploit
adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. Rated medium seve
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. Rated m
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. Rated medium sev
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hmx5-qpq5-p643