Description
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Recommendation
Update the swagger-ui package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.1.3
- Patched version(s): 4.1.3
References
- GHSA-cr3q-pqgq-m8c2
- security.snyk.io
- security.netapp.com
- CVE-2018-25031
- CWE-20
- CWE-918
- CWE-922
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A10
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- jsPDF Denial of Service (DoS) - CVE-2025-57810
- vxe-table prototype pollution - CVE-2024-57080
- Cross-Site Scripting in jquery - CVE-2020-7656
- Cross-site scripting in Swagger-UI - CVE-2019-17495
- Tags:
- npm
- swagger-ui
Anything's wrong? Let us know Last updated on September 02, 2025