CVE-2018-25031
Spoofing vulnerability in swagger-ui (npm)
What is CVE-2018-25031 About?
This Spoofing vulnerability in Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By tricking a victim into opening a crafted URL, an attacker can leverage this to display remote OpenAPI definitions, potentially misleading the user. Exploitation typically requires user interaction.
Affected Software
- swagger-ui
- <4.1.3
- org.webjars:swagger-ui
- <4.1.3
Technical Details
Swagger UI before version 4.1.3 is vulnerable to spoofing attacks. The vulnerability likely stems from insufficient validation or sanitization of dynamically loaded content, particularly when handling external OpenAPI definitions specified via a URL. An attacker can craft a malicious URL that points to a controlled OpenAPI definition. If a victim is persuaded to open this crafted URL, Swagger UI will then load and display the attacker's OpenAPI definition, potentially impersonating a legitimate API or service. This can trick users into believing they are interacting with a trusted source, enabling phishing or other social engineering tactics.
What is the Impact of CVE-2018-25031?
Successful exploitation may allow attackers to display malicious or misleading OpenAPI definitions, enabling phishing attacks, social engineering, or misdirection of users.
What is the Exploitability of CVE-2018-25031?
Exploitation of this spoofing vulnerability requires user interaction; a victim must be persuaded to open a specially crafted URL provided by the attacker. The attack is remote and does not require authentication. The complexity is moderate, as it involves crafting a URL that leverages Swagger UI's functionality to load external OpenAPI definitions. Privilege requirements are low, as the attack targets the user's perception and interaction with the rendered UI. The risk of exploitation increases if users are frequently directed to Swagger UI installations via links or if the application ecosystem commonly involves sharing Swagger UI URLs without proper validation mechanisms in place to prevent loading of untrusted definitions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| afine-com | Link | .json and .yaml files used to exploit CVE-2018-25031 |
| mathis2001 | Link | CVE-2018-25031 tests |
| rafaelcintralopes | Link | Exploit Swagger UI - User Interface (UI) Misrepresentation of Critical Information (CVE-2018-25031) |
What are the Available Fixes for CVE-2018-25031?
About the Fix from Resolved Security
This patch adds a queryConfigEnabled configuration option, defaulting to false, which explicitly controls whether configuration parameters can be overridden via URL query parameters. This fixes CVE-2018-25031 by preventing attackers from modifying sensitive settings through crafted URLs unless the feature is intentionally enabled by the administrator, thus mitigating an injection and privilege escalation risk.
Available Upgrade Options
- swagger-ui
- <4.1.3 → Upgrade to 4.1.3
- org.webjars:swagger-ui
- <4.1.3 → Upgrade to 4.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3
- https://github.com/swagger-api/swagger-ui/issues/4872
- https://snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884
- https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885
- https://security.netapp.com/advisory/ntap-20220407-0004
- https://security.netapp.com/advisory/ntap-20220407-0004/
- https://snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885
- https://osv.dev/vulnerability/GHSA-cr3q-pqgq-m8c2
- https://nvd.nist.gov/vuln/detail/CVE-2018-25031
- https://github.com/swagger-api/swagger-ui/pull/7697
What are Similar Vulnerabilities to CVE-2018-25031?
Similar Vulnerabilities: CVE-2020-8022 , CVE-2021-36365 , CVE-2021-27921 , CVE-2023-28435 , CVE-2022-24874
