You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2
Details
The vulnerability resides in line 94 of shared/utils.mjs where indexOf() function is used to check whether user provided input contain forbidden strings.
PoC
Steps to reproduce
Install latest version of swiper using npm install
Run the following code snippet:
varswiper=require('swiper');Array.prototype.indexOf=()=>-1;letobj={};varmalicious_payload='{"__proto__":{"polluted":"yes"}}';console.log({}.polluted);swiper.default.extendDefaults(JSON.parse(malicious_payload));console.log({}.polluted);// prints yes -> indicating that the patch was bypassed and prototype pollution occurred
Expected behavior
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
undefined
undefined OR throw an Error
Actual behavior
Object.prototype is polluted
This is printed on the console:
undefined
yes
Impact
This is a prototype pollution vulnerability, which can have severe security implications depending on how swiper is used by downstream applications. Any application that processes attacker-controlled input using this package may be affected.
It could potentially lead to the following problems:
Authentication bypass
Denial of service - Even if an attacker is not able to exploit prototype pollution in swiper, if there is a prototype pollution within the project from other dependencies, modifying global Array.prototype.indexOf property can result in crash when swiper.default.extendDefaults is called because swiper makes use of this global property. This can lead to Denial of Service.
Remote code execution (if polluted property is passed to sinks like eval or child_process)
Patch release fixing two web-component (and Vue wrapper) regressions introduced by the v14 rewrite.
Bug Fixes
core: restore slide detection in web component — the <swiper-container> element initialized with zero slides because slidesEl was resolved to the shadow root instead of the host element (b3b822f), closes #8196
element: render navigation/pagination/scrollbar when set as boolean params — bare boolean usage (<swiper-container navigation>, Vue :navigation="true") stopped rendering the built-in controls (253fa39), closes #8196
Swiper v14 is a ground-up TypeScript rewrite of the entire codebase, focused on smaller bundles, more accurate types, and a modern browser baseline. (We skipped v13.)
Upgrading from v12 requires no code changes. Every option, default, event, payload, method signature, and module import (swiper/modules, swiper/react, swiper/vue, swiper/element, …) behaves exactly as before. The only differences you may notice are tighter TypeScript types and a narrower set of supported browsers — see Breaking Changes below.
Highlights
Single TypeScript source of truth.src/ is now .ts/.tsx. The hand-maintained .d.ts tree (src/types/, the per-module .d.ts files) is gone — declarations are emitted directly from the runtime source with tsc, so the shipped types can no longer drift from the implementation. Several signatures that used to be any are now correctly typed (e.g. getTranslate(): number).
Per-module type augmentation. Each module augments the central Swiper / SwiperOptions / SwiperEvents interfaces. Importing a module (e.g. import { Navigation } from 'swiper/modules') brings its option, method, and event types along with it — mirroring how the runtime already requires registration.
More reliable type resolution. Types now resolve correctly under classic node, node16/nodenext, and bundler module resolution, and swiper/bundle exposes every module's options out of the box. Verified by a consumer-simulation test suite.
Zero runtime dependencies. The ssr-window dependency was removed and replaced with inline environment guards. Swiper now installs with no transitive runtime deps.
Smaller minified bundles. Legacy DOM-compat helpers and below-baseline feature detection were removed. The shared DOM utils shrank ~28%, and the main builds are ~2–4% smaller minified (swiper.min.js −4.1%, swiper-element.min.js −2.9%, swiper-bundle.min.js −2.3%).
Babel removed from the build. TypeScript now handles the JSX transform for the React wrapper, and @babel/preset-env is a no-op at the v14 baseline. Runtime output is byte-identical (React output is marginally smaller).
Breaking Changes
Browser baseline raised to the last ~2 years of evergreen browsers. Swiper v14 targets Chrome / Edge 110+, Safari 16.4+ (iOS 16.4+), and Firefox 110+. Code paths and feature detection for older browsers were removed (e.g. the smoothScroll support flag, the Safari < 16.2 perspective workaround, and the legacy DocumentTouch touch check). iOS/Android-specific quirk handling is kept but simplified. If you need to support older browsers, stay on v12.
Node.js >= 20.19.0 is now required to build/develop against the package (engines was >= 4.7.0). This does not affect the browser runtime.
Type-level changes. Stricter types may surface latent issues in code that previously relied on any-typed access to Swiper internals. These are compile-time only — there are no runtime behavior changes.
SSR
ssr-window's mock window/document were replaced with inline typeof guards. Server rendering with the React / Vue / Element wrappers is unaffected — they only instantiate Swiper in client-side mount effects. Imperatively calling new Swiper(...) in a pure Node (non-DOM) environment once again no-ops gracefully, matching v12 behavior, and is now locked down by a dedicated SSR runtime test.
centeredSlides with centeredSlidesBounds don't work correct when slidesPerView: 'auto' and width of the swiper-container bigger then width of slides (#7696) (c11172a)
element: fix element styles to have correct order override (f26036f), closes #7704
virtual: fix bypassing initial translate check if Virtual is enabled (df957bb), closes #7699
do not remove and re-add visibility classes for unchanged slides to prevents unnecessary style recalculations (This performance difference is mostly noticable when moving a slide with a mouse or touchmove because updateSlidesProgress is triggered for every keyboard-/touchevent) (#7505) (2c08227)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^10.2.0→^14.0.0Prototype pollution in swiper
CVE-2026-27212 / GHSA-hmx5-qpq5-p643
More information
Details
Summary
A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute
Object.prototypevia a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2Details
The vulnerability resides in line 94 of shared/utils.mjs where indexOf() function is used to check whether user provided input contain forbidden strings.
PoC
Steps to reproduce
Expected behavior
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
Actual behavior
Object.prototype is polluted
This is printed on the console:
Impact
This is a prototype pollution vulnerability, which can have severe security implications depending on how swiper is used by downstream applications. Any application that processes attacker-controlled input using this package may be affected.
It could potentially lead to the following problems:
Array.prototype.indexOfproperty can result in crash when swiper.default.extendDefaults is called because swiper makes use of this global property. This can lead to Denial of Service.Related CVEs
CVE-2026-25521
CVE-2026-25047
CVE-2026-26021
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nolimits4web/Swiper (swiper)
v14.0.5Compare Source
Bug Fixes
v14.0.2Compare Source
Bug Fixes
v14.0.1Compare Source
Patch release fixing two web-component (and Vue wrapper) regressions introduced by the v14 rewrite.
Bug Fixes
<swiper-container>element initialized with zero slides becauseslidesElwas resolved to the shadow root instead of the host element (b3b822f), closes #8196<swiper-container navigation>, Vue:navigation="true") stopped rendering the built-in controls (253fa39), closes #8196v14.0.0Compare Source
Swiper v14 is a ground-up TypeScript rewrite of the entire codebase, focused on smaller bundles, more accurate types, and a modern browser baseline. (We skipped v13.)
Upgrading from v12 requires no code changes. Every option, default, event, payload, method signature, and module import (
swiper/modules,swiper/react,swiper/vue,swiper/element, …) behaves exactly as before. The only differences you may notice are tighter TypeScript types and a narrower set of supported browsers — see Breaking Changes below.Highlights
src/is now.ts/.tsx. The hand-maintained.d.tstree (src/types/, the per-module.d.tsfiles) is gone — declarations are emitted directly from the runtime source withtsc, so the shipped types can no longer drift from the implementation. Several signatures that used to beanyare now correctly typed (e.g.getTranslate(): number).Swiper/SwiperOptions/SwiperEventsinterfaces. Importing a module (e.g.import { Navigation } from 'swiper/modules') brings its option, method, and event types along with it — mirroring how the runtime already requires registration.node,node16/nodenext, andbundlermodule resolution, andswiper/bundleexposes every module's options out of the box. Verified by a consumer-simulation test suite.ssr-windowdependency was removed and replaced with inline environment guards. Swiper now installs with no transitive runtime deps.swiper.min.js−4.1%,swiper-element.min.js−2.9%,swiper-bundle.min.js−2.3%).@babel/preset-envis a no-op at the v14 baseline. Runtime output is byte-identical (React output is marginally smaller).Breaking Changes
smoothScrollsupport flag, the Safari < 16.2 perspective workaround, and the legacyDocumentTouchtouch check). iOS/Android-specific quirk handling is kept but simplified. If you need to support older browsers, stay on v12.engineswas>= 4.7.0). This does not affect the browser runtime.any-typed access to Swiper internals. These are compile-time only — there are no runtime behavior changes.SSR
ssr-window's mockwindow/documentwere replaced with inlinetypeofguards. Server rendering with the React / Vue / Element wrappers is unaffected — they only instantiate Swiper in client-side mount effects. Imperatively callingnew Swiper(...)in a pure Node (non-DOM) environment once again no-ops gracefully, matching v12 behavior, and is now locked down by a dedicated SSR runtime test.v12.2.0Compare Source
Bug Fixes
v12.1.4Compare Source
Bug Fixes
Features
v12.1.3Compare Source
Bug Fixes
slidesPerViewbefore calculating number of slides (#8172) (49a55ab)Features
v12.1.2Compare Source
v12.1.1Compare Source
Bug Fixes
v12.1.0Compare Source
Bug Fixes
data-swiper-slide-indexforrealIndexwhen virtual module is enabled (#8142) (bd957f8)autoScrolltothumbs.updatetype signature (#8146) (5d91e6e)Features
v12.0.3Compare Source
Bug Fixes
Features
v12.0.2Compare Source
Features
addIconsparameter to add SVG icons to nav buttons (b955b0c), closes #8088 #8087v12.0.1Compare Source
Bug Fixes
v12.0.0Compare Source
Bug Fixes
Features
v11.2.10Compare Source
Bug Fixes
v11.2.9Compare Source
Bug Fixes
v11.2.8Compare Source
Bug Fixes
v11.2.7Compare Source
Bug Fixes
effectparam type (#7945) (42eec07)v11.2.6Compare Source
Bug Fixes
v11.2.5Compare Source
Bug Fixes
zoom.in()function (#7904) (f7febe1)Features
v11.2.4Compare Source
Bug Fixes
v11.2.3Compare Source
Bug Fixes
Features
v11.2.2Compare Source
Bug Fixes
v11.2.1Compare Source
Bug Fixes
v11.2.0Compare Source
Bug Fixes
Features
v11.1.15Compare Source
Bug Fixes
slidesEl,slidesGrid, andslidesSizesGrid(#7768) (fb59a41)v11.1.14Compare Source
Bug Fixes
v11.1.12Compare Source
Bug Fixes
Features
containerRoleparameter (#7708) (1542c01)v11.1.11Compare Source
Bug Fixes
v11.1.10Compare Source
Bug Fixes
v11.1.9Compare Source
Bug Fixes
Features
v11.1.8Compare Source
Bug Fixes
v11.1.7Compare Source
Bug Fixes
v11.1.6Compare Source
Bug Fixes
Features
scrollOnFocus(#7632) (f4f7da0)v11.1.5Compare Source
Bug Fixes
v11.1.4Compare Source
Bug Fixes
v11.1.3Compare Source
Bug Fixes
v11.1.2Compare Source
Bug Fixes
Performance Improvements
v11.1.1Compare Source
Bug Fixes
slidesEl,slidesGrid, andslidesSizesGrid(#7768) (fb59a41)v11.1.0Compare Source
Bug Fixes
v11.0.7Compare Source
Bug Fixes
Features
v11.0.6Compare Source
Bug Fixes
Features
v11.0.5Compare Source
Bug Fixes
Features
slidesUpdatedevent (8a0c7c4)v11.0.4Compare Source
Bug Fixes
v11.0.3Compare Source
Bug Fixes
v11.0.2Compare Source
Bug Fixes
v11.0.1Compare Source
Bug Fixes
v11.0.0Compare Source
Bug Fixes
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.