GHSA-8jh9-wqpf-q52c

Source

https://github.com/advisories/GHSA-8jh9-wqpf-q52c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-8jh9-wqpf-q52c/GHSA-8jh9-wqpf-q52c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8jh9-wqpf-q52c

Published

2022-11-23T15:49:51Z

Modified

2025-09-24T20:11:29Z

Summary

sweetalert2 v8.19.1 and above contains hidden functionality

Details

sweetalert2 versions 8.19.1 and up until 9.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions below 8.19.1.

Workaround

Users who are unable to update to the fixed version (11.22.4) can use package versions 8.19.0 and below, as they do not contain the hidden functionality.

Database specific

{
    "nvd_published_at": null,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-912"
    ],
    "github_reviewed_at": "2022-11-23T15:49:51Z",
    "github_reviewed": true
}

References

Affected packages

npm / sweetalert2

Package

Name: sweetalert2; View open source insights on deps.dev
Purl: pkg:npm/sweetalert2

Affected ranges

Type: SEMVER
Events: Introduced

8.19.1

Fixed

11.22.4

Database specific

last_known_affected_version_range

"< 9.0.0"