{"id":"CVE-2018-25031","details":"Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.","aliases":["GHSA-cr3q-pqgq-m8c2"],"modified":"2026-04-10T04:09:11.121936Z","published":"2022-03-11T07:15:07.190Z","references":[{"type":"ADVISORY","url":"https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220407-0004/"},{"type":"FIX","url":"https://github.com/swagger-api/swagger-ui/issues/4872"},{"type":"FIX","url":"https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/swagger-api/swagger-ui","events":[{"introduced":"0"},{"fixed":"86e7f002c6dc55c935e18e82f9c5576dc48a7ff2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.3"}]}}],"versions":["$GIT_TAG","3.3.1","3.8.1","v/3.18.0","v1.0","v1.0.1","v1.0.12","v1.0.13","v1.1.1","v1.1.15","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.1.7","v2.0.0","v2.0.1","v2.0.10","v2.0.11","v2.0.12","v2.0.14","v2.0.15","v2.0.16","v2.0.17","v2.0.18","v2.0.19","v2.0.2","v2.0.20","v2.0.21","v2.0.22","v2.0.24","v2.0.3","v2.0.4","v2.0.7","v2.0.8","v2.0.9","v2.1.0","v2.1.0-M1","v2.1.0-M2","v2.1.0-alpha.1","v2.1.0-alpha.4","v2.1.0-alpha.5","v2.1.0-alpha.6","v2.1.1","v2.1.1-M1","v2.1.1-M2","v2.1.2","v2.1.2-M1","v2.1.2-M2","v2.1.3","v2.1.3-M1","v2.1.3-M2","v2.1.4","v2.1.4-M1","v2.1.4-M2","v2.1.5","v2.1.5-M1","v2.1.5-M2","v2.1.6-M1","v2.1.7-M1","v2.1.8-M1","v2.2.0","v2.2.1","v2.2.10","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v3.0.0","v3.0.1","v3.0.10","v3.0.11","v3.0.12","v3.0.13","v3.0.14","v3.0.15","v3.0.16","v3.0.17","v3.0.18","v3.0.19","v3.0.2","v3.0.20","v3.0.21","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.10.0","v3.11.0","v3.12.0","v3.12.1","v3.12.9","v3.13.0","v3.13.2","v3.13.3","v3.13.4","v3.13.5","v3.13.6","v3.14.0","v3.14.1","v3.14.2","v3.15.0","v3.16.0","v3.17.0","v3.17.1","v3.17.2","v3.17.3","v3.17.4","v3.17.5","v3.17.6","v3.18.0","v3.18.1","v3.18.2","v3.18.3","v3.19.0","v3.19.1","v3.19.2","v3.19.3","v3.19.4","v3.19.5","v3.2.0","v3.2.1","v3.2.2","v3.20.0","v3.20.1","v3.20.2","v3.20.3","v3.20.4","v3.20.5","v3.20.6","v3.20.7","v3.20.8","v3.20.9","v3.21.0","v3.22.0","v3.22.1","v3.22.2","v3.22.3","v3.23.0","v3.23.1","v3.23.10","v3.23.11","v3.23.2","v3.23.3","v3.23.4","v3.23.5","v3.23.6","v3.23.7","v3.23.8","v3.23.9","v3.24.0","v3.24.1","v3.24.2","v3.24.3","v3.25.0","v3.25.1","v3.25.2","v3.25.3","v3.25.4","v3.25.5","v3.26.0","v3.26.1","v3.26.2","v3.27.0","v3.28.0","v3.29.0","v3.3.0","v3.3.1","v3.3.2","v3.30.0","v3.30.1","v3.30.2","v3.31.0","v3.31.1","v3.32.0","v3.32.1","v3.32.2","v3.32.3","v3.32.4","v3.32.5","v3.33.0","v3.34.0","v3.35.0","v3.35.1","v3.35.2","v3.36.0","v3.36.1","v3.36.2","v3.37.0","v3.37.1","v3.37.2","v3.38.0","v3.39.0","v3.4.0","v3.4.1","v3.4.2","v3.4.3","v3.4.4","v3.4.5","v3.40.0","v3.41.0","v3.41.1","v3.42.0","v3.43.0","v3.44.0","v3.44.1","v3.45.0","v3.45.1","v3.46.0","v3.47.0","v3.47.1","v3.48.0","v3.49.0","v3.5.0","v3.50.0","v3.51.0","v3.51.1","v3.51.2","v3.52.0","v3.52.1","v3.52.2","v3.52.3","v3.52.4","v3.52.5","v3.6.0","v3.6.1","v3.7.0","v3.8.0","v3.8.1","v3.9.0","v3.9.1","v3.9.2","v4.0.0","v4.0.1","v4.1.0","v4.1.1","v4.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-25031.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}]}