SB2026052713 - Prototype pollution in swiper

Description

This security bulletin contains information about 1 vulnerability.

1) Prototype pollution (CVE-ID: CVE-2026-27212)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to modify object prototypes.

The vulnerability exists due to improperly controlled modification of object prototype attributes in shared/utils.mjs extendDefaults handling when processing attacker-controlled input after Array.prototype.indexOf has been overwritten. A remote attacker can supply a crafted JSON object and overwrite the global Array.prototype.indexOf behavior to modify object prototypes.

The issue can be triggered across Windows and Linux on Node and Bun runtimes.

Remediation

Install update from vendor's website.

References

• https://github.com/advisories/GHSA-hmx5-qpq5-p643
• https://github.com/nolimits4web/swiper/releases/tag/v12.1.2
• https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643