Update dependency swiper to v12 [SECURITY]#288
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
✅ Deploy Preview for content-ops-starter ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
8cfac8a to
f259ffd
Compare
f259ffd to
437348b
Compare
437348b to
1d1eb4b
Compare
9afb00c to
880269d
Compare
9c1bfd3 to
0460706
Compare
0460706 to
7d3001c
Compare
7d3001c to
3516762
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^11.1.4→^12.0.0Prototype pollution in swiper
CVE-2026-27212 / GHSA-hmx5-qpq5-p643
More information
Details
Summary
A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute
Object.prototypevia a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2Details
The vulnerability resides in line 94 of shared/utils.mjs where indexOf() function is used to check whether user provided input contain forbidden strings.
PoC
Steps to reproduce
Expected behavior
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
Actual behavior
Object.prototype is polluted
This is printed on the console:
Impact
This is a prototype pollution vulnerability, which can have severe security implications depending on how swiper is used by downstream applications. Any application that processes attacker-controlled input using this package may be affected.
It could potentially lead to the following problems:
Array.prototype.indexOfproperty can result in crash when swiper.default.extendDefaults is called because swiper makes use of this global property. This can lead to Denial of Service.Related CVEs
CVE-2026-25521
CVE-2026-25047
CVE-2026-26021
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nolimits4web/Swiper (swiper)
v12.1.2Compare Source
v12.1.1Compare Source
Bug Fixes
v12.1.0Compare Source
Bug Fixes
data-swiper-slide-indexforrealIndexwhen virtual module is enabled (#8142) (bd957f8)autoScrolltothumbs.updatetype signature (#8146) (5d91e6e)Features
v12.0.3Compare Source
Bug Fixes
Features
v12.0.2Compare Source
Features
addIconsparameter to add SVG icons to nav buttons (b955b0c), closes #8088 #8087v12.0.1Compare Source
Bug Fixes
v12.0.0Compare Source
Bug Fixes
Features
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.