Description
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Recommendation
Update the swagger-ui package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.1.3
- Patched version(s): 4.1.3
References
- GHSA-cr3q-pqgq-m8c2
- security.snyk.io
- security.netapp.com
- CVE-2018-25031
- CWE-20
- CWE-918
- CWE-922
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A10
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Spoofing attack in swagger-ui-dist - CVE-2021-46708
- Cross-Site Scripting in swagger-ui (GHSA-7f59-x49p-v8mq) - CVE-2016-1000226
- Improper Neutralization of Input During Web Page Generation in swagger-ui - CVE-2016-1000229
- Cross-Site Scripting in swagger-ui (GHSA-p239-93f7-h6xf) - CVE-2016-5682
- Tags:
- npm
- swagger-ui
Anything's wrong? Let us know Last updated on September 02, 2025