Critical severityNVD Advisory· Published Apr 12, 2021· Updated Sep 17, 2024
Prototype Pollution
CVE-2021-23370
Description
This affects the package swiper before 6.5.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
swipernpm | < 6.5.1 | 6.5.1 |
Affected products
1- Range: unspecified
Patches
1ec358deab79afix(core): fixed __proto__ pollution
5 files changed · +52 −39
src/angular/src/utils/utils.ts+17 −14 modified@@ -8,20 +8,23 @@ export function isObject(o) { } export function extend(target, src) { - Object.keys(src).forEach((key) => { - if (typeof target[key] === 'undefined') { - target[key] = src[key]; - return; - } - if (target[key] && !src[key]) { - return; - } - if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { - extend(target[key], src[key]); - } else { - target[key] = src[key]; - } - }); + const noExtend = ['__proto__', 'constructor', 'prototype']; + Object.keys(src) + .filter((key) => noExtend.indexOf(key) < 0) + .forEach((key) => { + if (typeof target[key] === 'undefined') { + target[key] = src[key]; + return; + } + if (target[key] && !src[key]) { + return; + } + if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { + extend(target[key], src[key]); + } else { + target[key] = src[key]; + } + }); } export function coerceBooleanProperty(value: any): boolean {
src/react/utils.js+11 −8 modified@@ -8,14 +8,17 @@ function isObject(o) { } function extend(target, src) { - Object.keys(src).forEach((key) => { - if (typeof target[key] === 'undefined') target[key] = src[key]; - else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { - extend(target[key], src[key]); - } else { - target[key] = src[key]; - } - }); + const noExtend = ['__proto__', 'constructor', 'prototype']; + Object.keys(src) + .filter((key) => noExtend.indexOf(key) < 0) + .forEach((key) => { + if (typeof target[key] === 'undefined') target[key] = src[key]; + else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { + extend(target[key], src[key]); + } else { + target[key] = src[key]; + } + }); } function needsNavigation(params = {}) {
src/svelte/utils.js+11 −8 modified@@ -8,14 +8,17 @@ function isObject(o) { } function extend(target, src) { - Object.keys(src).forEach((key) => { - if (typeof target[key] === 'undefined') target[key] = src[key]; - else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { - extend(target[key], src[key]); - } else { - target[key] = src[key]; - } - }); + const noExtend = ['__proto__', 'constructor', 'prototype']; + Object.keys(src) + .filter((key) => noExtend.indexOf(key) < 0) + .forEach((key) => { + if (typeof target[key] === 'undefined') target[key] = src[key]; + else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { + extend(target[key], src[key]); + } else { + target[key] = src[key]; + } + }); } function needsNavigation(params = {}) {
src/utils/utils.js+2 −1 modified@@ -94,10 +94,11 @@ function isObject(o) { } function extend(...args) { const to = Object(args[0]); + const noExtend = ['__proto__', 'constructor', 'prototype']; for (let i = 1; i < args.length; i += 1) { const nextSource = args[i]; if (nextSource !== undefined && nextSource !== null) { - const keysArray = Object.keys(Object(nextSource)).filter((key) => key !== '__proto__'); + const keysArray = Object.keys(Object(nextSource)).filter((key) => noExtend.indexOf(key) < 0); for (let nextIndex = 0, len = keysArray.length; nextIndex < len; nextIndex += 1) { const nextKey = keysArray[nextIndex]; const desc = Object.getOwnPropertyDescriptor(nextSource, nextKey);
src/vue/utils.js+11 −8 modified@@ -8,14 +8,17 @@ function isObject(o) { } function extend(target, src) { - Object.keys(src).forEach((key) => { - if (typeof target[key] === 'undefined') target[key] = src[key]; - else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { - extend(target[key], src[key]); - } else { - target[key] = src[key]; - } - }); + const noExtend = ['__proto__', 'constructor', 'prototype']; + Object.keys(src) + .filter((key) => noExtend.indexOf(key) < 0) + .forEach((key) => { + if (typeof target[key] === 'undefined') target[key] = src[key]; + else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) { + extend(target[key], src[key]); + } else { + target[key] = src[key]; + } + }); } function needsNavigation(props = {}) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-p3hc-fv2j-rp68ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23370ghsaADVISORY
- github.com/nolimits4web/Swiper/commit/ec358deab79a8cd2529465f07a0ead5dbcc264adghsaWEB
- github.com/nolimits4web/swiper/blob/master/CHANGELOG.mdghsaWEB
- github.com/nolimits4web/swiper/commit/9dad2739b7474f383474773d5ab898a0c29ac178ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1244698ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1244699ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBNOLIMITS4WEB-1244697ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244696ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-SWIPER-1088062ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.