Swiper Prototype Pollution Vulnerability Allowing Authentication Bypass, Denial-of-Service, and Remote Code Execution

A prototype pollution vulnerability has been identified in the Swiper package, specifically in versions 6.5.1 through 12.1.1. The issue arises in the 'shared/utils.mjs' file, where the 'indexOf()' function is improperly used to validate user input against forbidden strings. Although a prior fix aimed to address prototype pollution by filtering out certain keys, the vulnerability persists, allowing manipulation of 'Object.prototype' through crafted input via 'Array.prototype'. This flaw is exploitable on both Windows and Linux, and across Node and Bun runtimes. Applications that handle attacker-controlled input with this package may experience authentication bypass, denial-of-service, or remote code execution.

Impact

Exploitation of this vulnerability leads to prototype pollution, with severe security consequences depending on the application's use of Swiper. This could result in authentication bypass, denial-of-service (especially if combined with prototype pollution from other dependencies), and remote code execution if the polluted properties are used in contexts like 'eval' or 'child_process'.

Reproduction

To reproduce this vulnerability, install Swiper version 6.5.1 through 12.1.1. After installation, override the 'Array.prototype.indexOf' method to bypass the input validation. Then, use the 'swiper.default.extendDefaults' method to inject a malicious payload that modifies the 'Object.prototype'. This will demonstrate the prototype pollution by showing the injected property on the console.

Remediation

Users can upgrade to Swiper version 12.1.2 or later, where this vulnerability has been fixed.