REPRO-2026-00107 CRITICAL DoS Verified

Swiper Prototype Pollution

swiper (npm) Feb 20, 2026

Open in Codespaces Download Script

Confidence HIGH

Reproduced in 10m 21s

Tool calls 87

Affected >= 6.5.1, < 12.1.2

Fixed in 12.1.2

What's the vulnerability?

A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2

Root Cause Analysis

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00107

or pruva-verify GHSA-hmx5-qpq5-p643

or pruva-verify CVE-2026-27212

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

1

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00107/artifacts/repro/reproduction_steps.sh

2

Make executable

chmod +x reproduction_steps.sh

3

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

repro/rca_report.md7.7 KB

repro/reproduction_steps.sh2.4 KB

bundle/source.json7.7 KB

bundle/ticket.json11.6 KB

bundle/ticket.md3.2 KB

logs/constructor_variant_test.log0.2 KB

logs/fixed_version_test.log0.2 KB

logs/includes_variant_test.log0.2 KB

logs/npm_install.log0.0 KB

logs/test_output.log0.2 KB

logs/vuln_version_test.log0.2 KB