CVE-2021-23370
prototype pollution vulnerability in swiper (npm)
What is CVE-2021-23370 About?
Versions of the `swiper` package before 6.5.1 are susceptible to prototype pollution, a type of vulnerability that can allow attackers to inject arbitrary properties into JavaScript object prototypes. This can lead to denial of service, information disclosure, or in some contexts, remote code execution. Exploitation typically involves sending specially crafted input to the application.
Affected Software
Technical Details
The vulnerability in the swiper package (before 6.5.1) is a prototype pollution flaw. This class of vulnerabilities occurs in JavaScript when an attacker can add or modify properties of the global Object.prototype. In the context of swiper, this implies that some internal function that processes user-controlled input (e.g., configuration options or data) allows for recursive merging or property assignment without proper validation. If an attacker can provide input like __proto__.someProperty=someValue or constructor.prototype.someProperty=someValue, this property someProperty can be added to the global Object.prototype, affecting all objects in the application. This can lead to various impacts, such as unexpected behavior, denial of service (by overwriting core methods), or even remote code execution if the added property is then used in a sensitive context (e.g., executing a command or loading a module) by other parts of the application.
What is the Impact of CVE-2021-23370?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, potentially leading to denial of service, information disclosure, or in specific architectural contexts, remote code execution.
What is the Exploitability of CVE-2021-23370?
Exploitation of this prototype pollution vulnerability typically involves remote access, where an attacker crafts malicious input (e.g., JSON, URL parameters, or other data structures) that gets processed by the swiper package. No specific authentication is usually required, as the input might originate from any user interaction. The complexity is moderate, requiring an understanding of the application's data flow and how swiper processes its configuration or data. No special privileges are inherently needed. The likelihood of exploitation increases in applications that deserialize or deeply merge untrusted, user-controlled data into JavaScript objects, especially if swiper is involved in handling dynamic configurations or content from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23370?
Available Upgrade Options
- swiper
- <6.5.1 → Upgrade to 6.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-p3hc-fv2j-rp68
- https://snyk.io/vuln/SNYK-JS-SWIPER-1088062
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1244698
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1244698
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1244699
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBNOLIMITS4WEB-1244697
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1244699
- https://github.com/nolimits4web/swiper/commit/9dad2739b7474f383474773d5ab898a0c29ac178
- https://github.com/nolimits4web/Swiper/commit/ec358deab79a8cd2529465f07a0ead5dbcc264ad
- https://nvd.nist.gov/vuln/detail/CVE-2021-23370
What are Similar Vulnerabilities to CVE-2021-23370?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2020-15250 , CVE-2020-7760 , CVE-2020-8116 , CVE-2019-10744
