Server side request forgery in SwaggerUI

Severity:: Medium

Description

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered.

Recommendation

Update the swagger-ui package to the latest compatible version. Followings are version details:

Affected version(s): < 4.1.3
Patched version(s): 4.1.3

References

GHSA-qrmm-w75w-3wpx
CWE-918
OWASP 2021-A10

Related Issues

Server side request forgery in SwaggerUI (GHSA-qrmm-w75w-3wpx) - Vulnerability
Server side request forgery in SwaggerUI (GHSA-qrmm-w75w-3wpx) 2 - Vulnerability
google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
@lobehub/chat Server Side Request Forgery vulnerability - CVE-2024-32965

Tags:: npm; swagger-ui

Anything's wrong? Let us know Last updated on June 02, 2023