Vulnerability Management

Code generator for Swagger spec vulnerable to remote code execution

Rapid7 yesterday publicly disclosed a vulnerability in Swagger-codegen, a code generator for the OpenAPI specification (aka Swagger) that creates APIs for the REST (representational state transfer) programming architecture.

The flaw exists on the client and server side – and if exploited, it can lead to remote code execution via injectable parameters in Swagger files that use the JASN open-standard format or YAML data serialization language.

The vulnerability applies to the NodeJS, PHP, Ruby and Java programming languages and perhaps other languages as well. In a blog post, Rapid7 warned: “Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. This is achieved by the fact that some parsers/generators trust insufficiently sanitized parameters within a Swagger document to generate a client code base.”

Until the developers behind the code-generating tool fixes the flaw, Rapid7 recommends that users “carefully inspect Swagger documents for language-specific escape sequences.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.