scott davis

R7-2016-19: Persistent XSS via Unescaped Parameters in Swagger-UI (CVE-2016-5682)

Blog Post created by scott davis Employee on Aug 29, 2016

Parameters within a Swagger document are insecurely loaded into a browser based documentation. Persistent XSS occurs when this documentation is then hosted together on a public site. This issue was resolved in Swagger-UI 2.2.1.


One of the components used to build the interactive documentation portion of the swagger ecosystem is the Swagger-UI. This interface generates dynamic documentation based on a referenced Swagger document that can interact with the referenced API.  If the swagger document itself contains XSS payloads, the swagger-ui component can be tricked into injecting unescaped content into the DOM.

Product Description

From the README at

"Swagger UI is part of the Swagger project. The Swagger project allows you to produce, visualize and consume your own RESTful services. No proxy or 3rd party services required. Do it your own way.

Swagger UI is a dependency-free collection of HTML, Javascript, and CSS assets that dynamically generate beautiful documentation and sandbox from a Swagger-compliant API. Because Swagger UI has no dependencies, you can host it in any server environment, or on your local machine."

The swagger UI will parse a chosen swagger file, and generate dynamic colorful documentation that enables users to interact with a RESTful API.


Scott Lee Davis,, Application Security Researcher, Rapid7



If a swagger file contained in the definitions section, a default value with an XSS payload can be loaded unescaped into the DOM.



  Type: string
  Description: prints xss
  Default: <script>console.log(‘000000000000000000dad0000000000000000000’);</script>


Sanitation of HTML content should be done by an engine built for the job.  The swagger-ui team chose to solve this issue with the npm module santize-html.

Disclosure Timeline

This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy.

  • Thu, Jun 09, 2016: Discovery by Scott Lee Davis of Rapid7, Inc.
  • Fri, Jun 17, 2016: Attempted to contact the vendor
  • Mon, Jul 11, 2016: Disclosed details to the vendor at
  • Wed, Jul 27, 2016: Disclosed details to CERT as VR-316
  • Tue, Aug 09, 2016: CVE-2016-5682 assigned by CERT
  • Tue, Aug 23, 2016: Fixed in Swagger-UI 2.2.1
  • Fri, Sep 02, 2016: Public disclosure