GHSA-pg98-6v7f-2xfv

Suggest an improvement
Source
https://github.com/advisories/GHSA-pg98-6v7f-2xfv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-pg98-6v7f-2xfv/GHSA-pg98-6v7f-2xfv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pg98-6v7f-2xfv
Published
2022-11-23T15:44:52Z
Modified
2025-09-24T20:11:23Z
Summary
sweetalert2 v9.17.4 and above contains hidden functionality
Details

sweetalert2 versions 9.17.4 and up until 10.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 9.0.0 - 9.17.3.

Workaround

Users who are unable to update to the fixed version (11.22.4) can use package versions 9.0.0-9.17.3, as they do not contain the hidden functionality.

Database specific 
{
    "cwe_ids": [
        "CWE-912"
    ],
    "severity": "LOW",
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-23T15:44:52Z"
}
References

Affected packages

npm / sweetalert2

Package

Name
sweetalert2
View open source insights on deps.dev
Purl
pkg:npm/sweetalert2

Affected ranges

Type
SEMVER
Events
Introduced
9.17.4
Fixed
11.22.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-pg98-6v7f-2xfv/GHSA-pg98-6v7f-2xfv.json"

last_known_affected_version_range

"< 10.0.0"