Skip to content

Update dependency swiper to v12 [SECURITY]#288

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-swiper-vulnerability
Open

Update dependency swiper to v12 [SECURITY]#288
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-swiper-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 21, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
swiper (source) ^11.1.4^12.0.0 age confidence

Prototype pollution in swiper

CVE-2026-27212 / GHSA-hmx5-qpq5-p643

More information

Details

Summary

A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2

Details

The vulnerability resides in line 94 of shared/utils.mjs where indexOf() function is used to check whether user provided input contain forbidden strings.

PoC
Steps to reproduce
  1. Install latest version of swiper using npm install
  2. Run the following code snippet:
var swiper = require('swiper');
Array.prototype.indexOf = () => -1;        
let obj = {};
var malicious_payload = '{"__proto__":{"polluted":"yes"}}';
console.log({}.polluted);
swiper.default.extendDefaults(JSON.parse(malicious_payload));
console.log({}.polluted);  // prints yes -> indicating that the patch was bypassed and prototype pollution occurred
Expected behavior

Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:

undefined
undefined OR throw an Error
Actual behavior

Object.prototype is polluted
This is printed on the console:

undefined 
yes
Impact

This is a prototype pollution vulnerability, which can have severe security implications depending on how swiper is used by downstream applications. Any application that processes attacker-controlled input using this package may be affected.
It could potentially lead to the following problems:

  1. Authentication bypass
  2. Denial of service - Even if an attacker is not able to exploit prototype pollution in swiper, if there is a prototype pollution within the project from other dependencies, modifying global Array.prototype.indexOf property can result in crash when swiper.default.extendDefaults is called because swiper makes use of this global property. This can lead to Denial of Service.
  3. Remote code execution (if polluted property is passed to sinks like eval or child_process)
Related CVEs

CVE-2026-25521
CVE-2026-25047
CVE-2026-26021

Severity

  • CVSS Score: 9.4 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nolimits4web/Swiper (swiper)

v12.1.2

Compare Source

v12.1.1

Compare Source

Bug Fixes

v12.1.0

Compare Source

Bug Fixes
  • autoplay: broken custom delay percentages with pause/resume (#​8133) (0afecde)
  • core: Don't use data-swiper-slide-index for realIndex when virtual module is enabled (#​8142) (bd957f8)
  • core: Escape all CSS selector special characters (d35f41a), closes #​8135
  • core: support slidesOffsetBefore and slidesOffsetAfert in cssMode (45b98d0), closes #​7926
  • fix lazy preloader removal error in react in vue (332f5c7), closes #​8149
  • thumbs: update slide classes on virtual swiper update (#​8141) (9752771)
  • types: Add autoScroll to thumbs.update type signature (#​8146) (5d91e6e)
  • zoom: initialize gesture state after programmatic zoom (#​8112) (71e9511)
Features

v12.0.3

Compare Source

Bug Fixes
Features
  • core: add 'getRotateFix' export to effect utils (c97ae5d), closes #​8114

v12.0.2

Compare Source

Features

v12.0.1

Compare Source

Bug Fixes
  • navigation: tweak nav styles when adjacent (98440d9)

v12.0.0

Compare Source

Bug Fixes
Features
  • a11y: add wrapperLiveRegion param to disable wrapper live region in a11y module (#​8061) (d03044e)
  • move to SVG icons for navigation (264603c), closes #​6652 #​4990
  • remove LESS and SCSS styles in favor of CSS (118ec66)
  • virtual: add slidesPerViewAutoSlideSize parameter for fixed slide dimensions with slidesPerView auto (d472144), closes #​8041 #​7796

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@netlify

netlify Bot commented Feb 21, 2026

Copy link
Copy Markdown

Deploy Preview for content-ops-starter ready!

Name Link
🔨 Latest commit 3516762
🔍 Latest deploy log https://app.netlify.com/projects/content-ops-starter/deploys/6a2ac2a5bac8110008e4b781
😎 Deploy Preview https://deploy-preview-288--content-ops-starter.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate Bot force-pushed the renovate/npm-swiper-vulnerability branch from 8cfac8a to f259ffd Compare March 14, 2026 12:59
@renovate renovate Bot changed the title Update dependency swiper to v12 [SECURITY] Update dependency swiper to v12 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-swiper-vulnerability branch March 27, 2026 00:38
@renovate renovate Bot changed the title Update dependency swiper to v12 [SECURITY] - autoclosed Update dependency swiper to v12 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-swiper-vulnerability branch from f259ffd to 437348b Compare March 30, 2026 18:02
@renovate renovate Bot force-pushed the renovate/npm-swiper-vulnerability branch from 437348b to 1d1eb4b Compare April 8, 2026 18:00
@renovate renovate Bot changed the title Update dependency swiper to v12 [SECURITY] Update dependency swiper to v12 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency swiper to v12 [SECURITY] - autoclosed Update dependency swiper to v12 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-swiper-vulnerability branch 3 times, most recently from 9afb00c to 880269d Compare April 29, 2026 16:40
@renovate renovate Bot force-pushed the renovate/npm-swiper-vulnerability branch 2 times, most recently from 9c1bfd3 to 0460706 Compare May 18, 2026 14:42
@renovate renovate Bot force-pushed the renovate/npm-swiper-vulnerability branch from 0460706 to 7d3001c Compare May 28, 2026 16:53
@renovate renovate Bot force-pushed the renovate/npm-swiper-vulnerability branch from 7d3001c to 3516762 Compare June 11, 2026 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants