CVE-2018-25031: 
JavaScript vulnerability analysis and mitigation

Swagger UI 4.1.2 and earlier contains a vulnerability that could allow remote attackers to conduct spoofing attacks. The vulnerability was initially disclosed on March 11, 2022, and affects all versions of Swagger UI up to and including 4.1.2. While it was initially claimed to be resolved in version 4.1.3, third parties have indicated the vulnerability persists in that version and possibly others (CVE Details, MITRE).

The vulnerability stems from the ability to override hard-coded schema files using the ?url parameter in SwaggerUI. This functionality allows an attacker to display remote OpenAPI definitions by persuading a victim to open a crafted URL. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating it requires user interaction but no privileges, and can potentially impact confidentiality (Snyk, Ubuntu).

When successfully exploited, this vulnerability can lead to disclosure of sensitive information. The URL parameter is particularly dangerous in environments where authentication or other sensitive information is used, as it could allow an attacker to trick users into leaking their login credentials by providing a similar schema file that sends authorization requests to an attacker-controlled server (GitHub Issue).

The vulnerability was addressed in Swagger UI version 4.1.3 by disabling the functionality of reading config parameters from URL by default. To re-enable this functionality, users must explicitly set the new queryConfigEnabled core parameter to true. Organizations are advised to upgrade to version 4.1.3 or later and carefully consider the security implications before enabling URL parameter configuration (GitHub Release).