Code generator for Swagger spec vulnerable to remote code execution

Rapid7 yesterday publicly disclosed a vulnerability in Swagger-codegen, a code generator for the OpenAPI specification (aka Swagger) that creates APIs for the REST (representational state transfer) programming architecture.

The flaw exists on the client and server side – and if exploited, it can lead to remote code execution via injectable parameters in Swagger files that use the JASN open-standard format or YAML data serialisation language.

The vulnerability applies to the NodeJS, PHP, Ruby and Java programming languages and perhaps other languages as well. In a blog post, Rapid7 warned: “Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. This is achieved by the fact that some parsers/generators trust insufficiently sanitised parameters within a Swagger document to generate a client code base.”

Until the developers behind the code-generating tool fixes the flaw, Rapid7 recommends that users “carefully inspect Swagger documents for language-specific escape sequences.”

Sign up to our newsletters