CVE-2026-27212
Prototype pollution vulnerability in swiper (npm)
What is CVE-2026-27212 About?
This vulnerability is a prototype pollution flaw in the 'swiper' npm package, allowing attackers to modify the global 'Object.prototype'. Such modification can lead to severe security implications like authentication bypass or denial of service within applications using the package. Exploitation is plausible by crafting malicious JSON inputs.
Affected Software
Technical Details
The vulnerability is a prototype pollution flaw in the 'swiper' npm package (versions >=6.5.1, <12.1.2) specifically within the extendDefaults function. It leverages a bypass for a previous fix, which involved checking for forbidden keys using indexOf(). Attackers can pollute Object.prototype by crafting a JSON payload where __proto__ is used to introduce new properties. The exploit specifically works by overriding Array.prototype.indexOf to always return -1, bypassing the intended security check (indexOf() function is used to check whether user provided input contain forbidden strings), and then using swiper.default.extendDefaults(JSON.parse(malicious_payload)) with a payload like {"__proto__":{"polluted":"yes"}}.
What is the Impact of CVE-2026-27212?
Successful exploitation may allow attackers to bypass authentication, cause denial of service through application crashes, or achieve remote code execution if polluted properties are passed to sensitive sinks.
What is the Exploitability of CVE-2026-27212?
Exploitation of this prototype pollution vulnerability requires low to medium complexity. An attacker needs to supply a specially crafted JSON input that is then parsed and passed to the swiper.default.extendDefaults function. No specific authentication or high privileges are strictly required; the application only needs to process attacker-controlled input using the vulnerable function. A critical prerequisite for the shown PoC is the ability to modify Array.prototype.indexOf, which might require code injection or a prior pollution vulnerability. However, alternative prototype pollution methods might exist. The primary risk factor is any application endpoint that accepts and processes external JSON data that eventually flows into extendDefaults.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-27212?
Available Upgrade Options
- swiper
- >=6.5.1, <12.1.2 → Upgrade to 12.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-hmx5-qpq5-p643
- https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf
- https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643
- https://github.com/nolimits4web/swiper/releases/tag/v12.1.2
- https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf
- https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643
- https://github.com/nolimits4web/swiper
- https://github.com/nolimits4web/swiper/releases/tag/v12.1.2
What are Similar Vulnerabilities to CVE-2026-27212?
Similar Vulnerabilities: CVE-2023-26136 , CVE-2023-26137 , CVE-2023-26138 , CVE-2023-26139 , CVE-2023-26140
