CVE-2026-27212
Received Received - Intake
Prototype Pollution in Swiper Slider Enables RCE and DoS

Publication date: 2026-02-21

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-24
Generated
2026-05-07
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27212
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
swiperjs swiper From 6.5.1 (inc) to 12.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-27212 is a prototype pollution vulnerability in the Swiper npm package versions 6.5.1 through 12.1.1. The issue arises because the package uses the indexOf() function to check for forbidden keys in user input, but this check can be bypassed by overriding Array.prototype.indexOf. This allows an attacker to pollute Object.prototype by injecting crafted input, effectively modifying the global object prototype.'}, {'type': 'paragraph', 'content': "The vulnerability exists in the file shared/utils.mjs at line 94, where the filtering of dangerous keys like '__proto__', 'constructor', and 'prototype' is done using indexOf, which can be manipulated. This flaw enables attackers to add or modify properties on Object.prototype, leading to serious security issues."}] [2, 3]


How can this vulnerability impact me? :

If an application uses the vulnerable versions of Swiper and processes attacker-controlled input, it may be exposed to several severe impacts:

  • Authentication bypass
  • Denial of Service (DoS) due to crashes caused by modified Array.prototype.indexOf
  • Remote Code Execution (RCE) if polluted properties reach dangerous sinks such as eval or child_process

The vulnerability affects both Windows and Linux environments and is exploitable on Node.js and Bun runtimes.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves prototype pollution in the Swiper package versions 6.5.1 through 12.1.1, specifically through crafted inputs that manipulate Object.prototype via Array.prototype. Detection involves identifying if your system or application uses a vulnerable version of the Swiper package and if it processes attacker-controlled input using this package.

Since the vulnerability is related to prototype pollution via crafted JSON input and manipulation of Array.prototype.indexOf, detection can include checking for unexpected properties on Object.prototype or Array.prototype, or monitoring for suspicious modifications in runtime environments (Node.js or Bun).

There are no explicit commands provided in the resources, but general detection steps could include:

  • Check the installed version of Swiper in your project dependencies (e.g., using npm or yarn): `npm list swiper` or `yarn list swiper`.
  • Inspect runtime objects for unexpected prototype properties, for example in Node.js REPL or debugging sessions, check if `Object.prototype.polluted` or similar properties exist.
  • Audit application logs or runtime behavior for crashes or denial of service symptoms that might be caused by prototype pollution.

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade the Swiper package to version 12.1.2 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': "The fix replaces the vulnerable filtering method that relied on Array.prototype.indexOf with a direct string comparison to exclude dangerous keys such as '__proto__', 'constructor', and 'prototype', preventing prototype pollution."}, {'type': 'list_item', 'content': "Update your project's Swiper dependency to version 12.1.2 or above using your package manager, for example: `npm install [email protected]` or `yarn add [email protected]`."}, {'type': 'list_item', 'content': 'Review and sanitize any user-controlled input that is passed to Swiper or related utilities to reduce risk.'}, {'type': 'list_item', 'content': 'Monitor your application for unusual behavior such as crashes or unexpected property additions to global objects.'}] [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart