GHSA-457r-cqc8-9vj9: sweetalert2 v10.16.10 and above contains hidden functionality
N/A
CVSS Score
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
11/23/2022
Updated
1/11/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| sweetalert2 | npm | >= 10.16.10, < 11.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The advisory explicitly states protestware behavior affecting specific TLDs, and the v11.4.9 release notes reference the 'STOP WAR' message implementation. While exact function names aren't provided in public sources, the core vulnerability stems from domain-checking and content-injection logic added in this version range. The protestware implementation would logically reside in the package's initialization or rendering flow, making the main sweetalert2.js file the most likely location.