Affected versions of swagger-ui contain a cross-site scripting vulnerability in the key names of a specific nested object in the JSON document.

Proof of Concept

The vulnerable object structure is:

{
    "definitions": {
        "arbitraryVal": {
            "properties": {
                "<INJECTABLE_KEY_NAME>": "LoremIpsum"
                }
            }
        }
}

Malicious JSON documents can be loaded in by providing a URL to them in the url query string parameter.

Update to version 2.2.1 or later.