Microsoft.OpenApi.Kiota.Builder is vulnerable to Command Injection
93
Critical Risk
The kiota info command reads the dependencyInstallCommand from the x-ms-kiota-info OpenAPI extension and presents it as the tool's own recommended install command. An attacker-controlled or tampered OpenAPI description can supply an arbitrary shell command, which is also exposed verbatim through the --json output consumed by the Kiota VS Code extension. A developer who runs the suggested command, or an IDE install action, executes attacker-controlled shell on the workstation or CI host. The fix removes support for the description-supplied install command entirely.
You are affected if you are using a version that falls within the vulnerable range and you run kiota info on untrusted OpenAPI descriptions and execute the suggested install command.
Microsoft.OpenApi.Kiota.Builder is vulnerable to Command Injection in versions 0.0.1 - 1.32.4.
Upgrade the Microsoft.OpenApi.Kiota.Builder and/or the Microsoft.OpenApi.Kiota library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant