CVE-2018-25031
published 2022-03-11CVE-2018-25031: Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit…
PriorityP342medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EXPLOIT
EPSS
42.33%
98.5th percentile
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartbear | swagger_ui | < 4.1.3 | 4.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/index.html?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Byb2plY3RkaXNjb3ZlcnkvbnVjbGVpLXRlbXBsYXRlcy9tYWluL2hlbHBlcnMvcGF5bG9hZHMvc3dhZ2dlci1wYXlsb2FkIgp9↗
- →Exploit vector uses the `configUrl` query parameter with a `data:text/html;base64,...` URI to load a remote OpenAPI definition — monitor HTTP requests to Swagger UI endpoints containing `configUrl=data:` in the query string. ↗
- →Shodan dork `http.component:"Swagger"` (case-insensitive) can be used to identify exposed Swagger UI instances for asset discovery and patch verification. ↗
- →Detection requires a headless browser step: navigate to the crafted URL then wait for a JavaScript dialog (`waitdialog`) — a triggered dialog (`swagger_dom == true`) combined with the word `swagger` in the response body confirms exploitation. ↗
- ·The fix version is disputed: the vulnerability was originally claimed to be resolved in 4.1.3, but third parties confirmed it persists in 4.1.3 and possibly later versions — do not rely solely on version checks for remediation validation. ↗
- ·The Nuclei template title references `< 3.38.0` while the CVE description references `before 4.1.3` — the affected version range is inconsistent across sources; treat all Swagger UI versions up to at least 4.1.3 as potentially vulnerable. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Spoofing attack in swagger-ui
ghsa·2022-03-12
CVE-2018-25031 [MEDIUM] CWE-20 Spoofing attack in swagger-ui
Spoofing attack in swagger-ui
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
OSV
Spoofing attack in swagger-ui
osv·2022-03-12
CVE-2018-25031 [MEDIUM] Spoofing attack in swagger-ui
Spoofing attack in swagger-ui
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
No detection rules found.
Nuclei
Swagger UI < 3.38.0 - Cross-Site Scripting
nuclei·CVSS 4.3
CVE-2018-25031 [MEDIUM] Swagger UI < 3.38.0 - Cross-Site Scripting
Swagger UI < 3.38.0 - Cross-Site Scripting
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Template:
id: CVE-2018-25031
info:
name: Swagger UI < 3.38.0 - Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
impact: |
Attackers can trick users into viewing malicious OpenAPI definitions, potentially leading to information disclosure or further attacks.
remediation: |
Update to the latest version o
No writeups or analysis indexed.
https://github.com/swagger-api/swagger-ui/issues/4872https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3https://security.netapp.com/advisory/ntap-20220407-0004/https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885https://github.com/swagger-api/swagger-ui/issues/4872https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3https://security.netapp.com/advisory/ntap-20220407-0004/https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885
2022-03-11
Published