CVE-2019-17495
Description
CSS injection in Swagger UI before 3.23.11 allows attackers to exfiltrate CSRF tokens via Relative Path Overwrite (RPO) using crafted JSON with @import.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSS injection in Swagger UI before 3.23.11 allows attackers to exfiltrate CSRF tokens via Relative Path Overwrite (RPO) using crafted JSON with @import.
What is the vulnerability?
A Cascading Style Sheets (CSS) injection vulnerability exists in Swagger UI prior to version 3.23.11 [1]. The application intentionally allows the embedding of untrusted JSON data from remote servers. It was discovered that the @import directive within JSON data can be used as an attack vector. By injecting a CSS import statement, an attacker can leverage the Relative Path Overwrite (RPO) technique to exfiltrate sensitive information from HTML input fields.
How is it exploited?
An attacker can craft a malicious JSON payload containing a @import rule and host it on a server under their control, or pass it via the url parameter in the Swagger UI query string [2]. When a victim visits a crafted link, Swagger UI loads the attacker's JSON, which triggers the browser to fetch the attacker's CSS file. Using RPO, the attacker can manipulate the CSS to read values from input fields, such as CSRF tokens, and send them to an external server.
Impact
Successful exploitation allows an attacker to extract CSRF tokens or other input field values [2]. With a CSRF token, the attacker can perform cross-site request forgery attacks on behalf of the victim, potentially leading to unauthorized actions. No authentication or direct user interaction beyond visiting the crafted URL is required.
Mitigation
The vulnerability is fixed in Swagger UI version 3.23.11 and later [1][3]. Users should upgrade to the latest version. Projects using Springfox or other libraries that bundle Swagger UI should also update their dependencies [3]. As a temporary workaround, avoid clicking on untrusted Swagger UI links, but upgrading is the recommended solution.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
swagger-uinpm | < 3.23.11 | 3.23.11 |
org.webjars:swagger-uiMaven | < 3.23.11 | 3.23.11 |
org.webjars.npm:swagger-uiMaven | < 3.23.11 | 3.23.11 |
io.springfox:springfox-swagger-uiMaven | < 2.10.0 | 2.10.0 |
Affected products
5- Swagger/Swagger UIdescription
- ghsa-coords4 versionspkg:maven/io.springfox/springfox-swagger-uipkg:maven/org.webjars.npm/swagger-uipkg:maven/org.webjars/swagger-uipkg:npm/swagger-ui
< 2.10.0+ 3 more
- (no CPE)range: < 2.10.0
- (no CPE)range: < 3.23.11
- (no CPE)range: < 3.23.11
- (no CPE)range: < 3.23.11
Patches
277f4651cbf5brelease: v3.23.11
6 files changed · +14 −14
dist/swagger-ui-bundle.js+8 −8 modifieddist/swagger-ui-bundle.js.map+1 −1 modifieddist/swagger-ui.js+2 −2 modifieddist/swagger-ui.js.map+1 −1 modifiedpackage.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "swagger-ui", - "version": "3.23.10", + "version": "3.23.11", "main": "dist/swagger-ui.js", "repository": "git@github.com:swagger-api/swagger-ui.git", "contributors": [
package-lock.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "swagger-ui", - "version": "3.23.10", + "version": "3.23.11", "lockfileVersion": 1, "requires": true, "dependencies": {
26f72f0d16b1Upgrade to version of swagger which fixes css injection vulnerability as defined in https://github.com/tarantula-team/CSS-injection-in-Swagger-UI
1 file changed · +1 −1
springfox-swagger-ui/build.gradle+1 −1 modified@@ -29,7 +29,7 @@ plugins { } ext { - swaggerUiVersion = '3.23.4' + swaggerUiVersion = '3.23.11' swaggerUiDist = "build/libs/swagger-ui-dist.zip" swaggerUiExplodedDir = "swagger-ui-${swaggerUiVersion}/dist/" downloadUrl = "https://github.com/swagger-api/swagger-ui/archive/v${swaggerUiVersion}.zip"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- github.com/advisories/GHSA-c427-hjc3-wrfwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-17495ghsaADVISORY
- github.com/springfox/springfox/commit/26f72f0d16b166e12c20255a4ee907dc10685cf8ghsaWEB
- github.com/swagger-api/swagger-ui/releases/tag/v3.23.11ghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r103579b01da2d0aa0f672b88f811224bbf8ef493aaad845895955e91%40%3Ccommits.airflow.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r103579b01da2d0aa0f672b88f811224bbf8ef493aaad845895955e91@%3Ccommits.airflow.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3acb7e494cf1aab99b6784b7c5bbddfd0d4f8a484ab534c3a61ef9cf%40%3Ccommits.airflow.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r3acb7e494cf1aab99b6784b7c5bbddfd0d4f8a484ab534c3a61ef9cf@%3Ccommits.airflow.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r84b327f7a8b6b28857b906c07a66dd98e1d341191fa8d7816514ef96%40%3Ccommits.airflow.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r84b327f7a8b6b28857b906c07a66dd98e1d341191fa8d7816514ef96@%3Ccommits.airflow.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r853ffeb915a400f899de78124d4e0d77a19379d2e11bf8f4e98c624f%40%3Ccommits.airflow.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r853ffeb915a400f899de78124d4e0d77a19379d2e11bf8f4e98c624f@%3Ccommits.airflow.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ref70b940c4f69560d29d6ba792d6c82865e74de3dcad4c92d99b1f8f%40%3Ccommits.airflow.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ref70b940c4f69560d29d6ba792d6c82865e74de3dcad4c92d99b1f8f@%3Ccommits.airflow.apache.org%3EghsaWEB
- security.snyk.io/vuln/mavenghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.