GHSA-QRMM-W75W-3WPX

GHSA-QRMM-W75W-3WPX is a medium-severity server-side request forgery (SSRF) vulnerability in swagger-ui (npm), affecting versions < 4.1.3. It is fixed in 4.1.3, 6.3.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Server side request forgery in SwaggerUI

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered.

However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.

An example scenario abusing this functionality could take the following form:

  • https://example.com/api-docs hosts a version of SwaggerUI with ?url= query parameter enabled.
  • Users will trust the domain https://example.com and the contents of the OpenAPI definition.
  • A malicious actor may craft a similar OpenAPI definition and service that responds to the defined APIs at https://evildomain.
  • Users mistakenly click a phishing URL like https://example.com/api-docs?url=https://evildomain/fakeapi.yaml and enters sensitive data via the "Try-it-out" feature.

We do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is not possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism.

Resolution

We've made the decision to disable query parameters (#4872) by default starting with SwaggerUI version 4.1.3. Please update to this version when it becomes available (ETA: 2021 December). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites.

Workaround

If you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code:

SwaggerUI({
  //  ...other configuration options,
  plugins: [function UrlParamDisablePlugin() {
    return {
      statePlugins: {
        spec: {
          wrapActions: {
            // Remove the ?url parameter from loading an external OpenAPI definition.
            updateUrl: (oriAction) => (payload) => {
              const url = new URL(window.location.href)
              if (url.searchParams.has('url')) {
                url.searchParams.delete('url')
                window.location.replace(url.toString())
              }
              return oriAction(payload)
            }
          }
        }
      }
    }
  }],
})

Future UX work

Through the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the "Execute" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community.

Reflected XSS attack

Warning in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above.

Impact

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

Affected versions

swagger-ui (< 4.1.3) swagger-ui-dist (< 4.1.3) swagger-ui-react (< 4.1.3) Swashbuckle.AspNetCore.SwaggerUI (< 6.3.0)

Security releases

swagger-ui → 4.1.3 (npm) swagger-ui-dist → 4.1.3 (npm) swagger-ui-react → 4.1.3 (npm) Swashbuckle.AspNetCore.SwaggerUI → 6.3.0 (nuget)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

swagger-ui to 4.1.3 or later; swagger-ui-dist to 4.1.3 or later; swagger-ui-react to 4.1.3 or later; Swashbuckle.AspNetCore.SwaggerUI to 6.3.0 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-QRMM-W75W-3WPX? GHSA-QRMM-W75W-3WPX is a medium-severity server-side request forgery (SSRF) vulnerability in swagger-ui (npm), affecting versions < 4.1.3. It is fixed in 4.1.3, 6.3.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. Which packages are affected by GHSA-QRMM-W75W-3WPX?
    • swagger-ui (npm) (versions < 4.1.3)
    • swagger-ui-dist (npm) (versions < 4.1.3)
    • swagger-ui-react (npm) (versions < 4.1.3)
    • Swashbuckle.AspNetCore.SwaggerUI (nuget) (versions < 6.3.0)
  3. Is there a fix for GHSA-QRMM-W75W-3WPX? Yes. GHSA-QRMM-W75W-3WPX is fixed in 4.1.3, 6.3.0. Upgrade to this version or later.
  4. Is GHSA-QRMM-W75W-3WPX exploitable, and should I be worried? Whether GHSA-QRMM-W75W-3WPX is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-QRMM-W75W-3WPX is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-QRMM-W75W-3WPX?
    • Upgrade swagger-ui to 4.1.3 or later
    • Upgrade swagger-ui-dist to 4.1.3 or later
    • Upgrade swagger-ui-react to 4.1.3 or later
    • Upgrade Swashbuckle.AspNetCore.SwaggerUI to 6.3.0 or later

Other vulnerabilities in swagger-ui

Stop the waste.
Protect your environment with Kodem.