Swiper has a Prototype Pollution Vulnerability
Description
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Swiper versions 6.5.1 through 12.1.1 contain a prototype pollution vulnerability that can lead to authentication bypass, denial of service, or remote code execution; fixed in 12.1.2.
Vulnerability
Overview
A prototype pollution vulnerability exists in the Swiper package (versions 6.5.1 to 12.1.1). The issue is in line 94 of shared/utils.mjs, where the indexOf() function is used to check if user-supplied input contains forbidden strings. Despite a previous fix that attempted to block prototype pollution by checking for forbidden keys, the check can be bypassed if an attacker overrides Array.prototype.indexOf to always return -1. This allows the attacker to pollute Object.prototype via a crafted JSON payload containing __proto__ keys. [2][3]
Exploitation
An attacker can exploit this vulnerability by passing attacker-controlled input (e.g., parsed JSON) to any Swiper function that processes such input, such as extendDefaults. On Node.js and Bun runtimes, the exploit works across Windows and Linux. The attacker must be able to influence the input processed by the package, which is common in applications that handle user data. [3]
Impact
Successful prototype pollution can have severe consequences, including authentication bypass (if polluted properties affect authentication logic), denial of service (if the global Array.prototype.indexOf is overridden, causing Swiper to crash), and potentially remote code execution if the polluted properties are used in subsequent code paths. [2][3]
Mitigation
The vulnerability is fixed in Swiper version 12.1.2. Users should update to this version or later. No workarounds are provided in the advisory. [4]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
swipernpm | >= 6.5.1, < 12.1.2 | 12.1.2 |
Affected products
2>=6.5.1 <=12.1.1+ 1 more
- (no CPE)range: >=6.5.1 <=12.1.1
- (no CPE)range: >= 6.5.1, < 12.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-hmx5-qpq5-p643ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27212ghsaADVISORY
- github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cfghsax_refsource_MISCWEB
- github.com/nolimits4web/swiper/releases/tag/v12.1.2ghsax_refsource_MISCWEB
- github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.