Swagger UI DOM XSS vulnerability
Description
Swagger UI is a widely-used tool for visualizing and interacting with REST APIs. Versions 3.14.1 through 3.38.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability caused by an outdated version of the DOMPurify sanitization library. This vulnerability allows attackers to inject and execute malicious JavaScript code in the context of a user's browser when they interact with a vulnerable Swagger UI instance.
Remediation
Immediately upgrade Swagger UI to version 3.38.1 or later to remediate this vulnerability. Follow these steps:
1. Identify Current Version: Check your current Swagger UI version by examining the swagger-ui-bundle.js file or package.json dependencies.
2. Update Dependencies: If using npm or yarn, update your package.json:
npm install swagger-ui@latest // or yarn upgrade swagger-ui@latest
3. For CDN Users: Update your HTML to reference the latest version:
<script src="https://unpkg.com/swagger-ui-dist@latest/swagger-ui-bundle.js"></script>
4. Verify the Update: After upgrading, confirm the new version is deployed and the vulnerability is resolved by checking the swagger-ui-bundle.js hash against known vulnerable versions.
5. Additional Hardening: Implement Content Security Policy (CSP) headers to provide defense-in-depth protection against XSS attacks, even if future vulnerabilities are discovered.