修复版本
6.5.2
12.1.2
A prototype pollution vulnerability has been identified in the swiper npm package, affecting versions 6.5.1 and prior to 12.1.2. This vulnerability allows attackers to modify the Object.prototype, potentially leading to remote code execution. The issue stems from insufficient input validation within the shared/utils.mjs file and is fixed in version 12.1.2.
Prototype pollution vulnerabilities enable attackers to inject arbitrary properties into JavaScript objects, including built-in prototypes like Object.prototype. Successful exploitation of CVE-2026-27212 allows an attacker to modify the behavior of existing JavaScript code by adding or overwriting properties on Object.prototype. This can lead to a wide range of consequences, including denial of service, information disclosure, and even remote code execution if the polluted properties are used in sensitive operations. The vulnerability’s impact is amplified by its ability to affect both Node.js and Bun runtimes, broadening the attack surface. The use of Array.prototype to bypass previous mitigations highlights the complexity of preventing prototype pollution.
This vulnerability was publicly disclosed on 2026-02-19. A public proof-of-concept is likely to emerge given the ease of exploitation and the critical severity. The vulnerability is not currently listed on the CISA KEV catalog, but its CRITICAL CVSS score warrants close monitoring. The bypass of previous mitigation attempts suggests attackers may actively seek to exploit this flaw.
Applications utilizing the swiper npm package in Node.js or Bun environments are at risk, particularly those that accept user-supplied data and pass it directly to swiper components without proper validation. Projects relying on older versions of swiper (>=6.5.1, < 12.1.2) are especially vulnerable.
• nodejs / supply-chain:
npm list swiper• nodejs / supply-chain:
npm audit swiper• nodejs / supply-chain:
find node_modules -name "utils.mjs" -exec grep -i 'indexOf()' {}disclosure
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-27212 is to upgrade the swiper package to version 12.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing runtime checks to validate user-supplied input before passing it to the swiper library. While a direct WAF rule is unlikely to be effective, input sanitization at the application level can help prevent malicious payloads from reaching the vulnerable code. Carefully review any user-provided data used within swiper components and ensure it adheres to strict validation rules.
Actualice la biblioteca Swiper a la versión 12.1.2 o superior. Esto corrige la vulnerabilidad de Prototype Pollution. Asegúrese de probar la actualización en un entorno de desarrollo antes de implementarla en producción.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-27212 is a critical prototype pollution vulnerability in the swiper npm package, allowing attackers to modify the Object.prototype and potentially achieve remote code execution.
You are affected if your project uses swiper versions 6.5.1 through 12.1.1. Check your dependencies with npm list swiper.
Upgrade swiper to version 12.1.2 or later using npm install swiper@latest. If upgrading is not possible, implement runtime input validation.
While no active exploitation has been confirmed, the vulnerability's critical severity and ease of exploitation suggest it is likely to be targeted.
Refer to the swiper project's official advisory, which can be found on their GitHub repository or npm package page.