AIKIDO-2026-11122
swagger-typescript-api is vulnerable to Server-Side Request Forgery (SSRF)
61
Medium Risk
This Affects:
swagger-typescript-apiTL;DR
swagger-typescript-api issues HTTP requests to every $ref URL found in an OpenAPI specification during code generation without validating the target. A malicious spec can point $ref at internal hosts, loopback, RFC-1918 ranges, or the cloud instance-metadata endpoint, forcing the generator process to make attacker-directed requests. Missing DNS-rebinding protection, private-IP filtering, and redirect re-validation widen the reachable surface. The fix blocks private, loopback, and link-local targets, restricts cross-origin fetches to public hosts, and re-validates each redirect hop.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
swagger-typescript-api is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 13.12.1.
How to fix this
Upgrade the swagger-typescript-api library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant