@microsoft/kiota is vulnerable to Path Traversal
93
Critical Risk
Kiota writes the static_template.file path from the x-ai-adaptive-card and x-ai-capabilities OpenAPI extensions verbatim into generated Microsoft 365 Copilot and Teams plugin manifests without validation. An attacker-controlled OpenAPI description can embed .. traversal segments or an absolute path in this field. When the generated plugin is later deployed, the AI host resolves the reference to a file outside the plugin package, causing path traversal and out-of-package file inclusion. The fix validates static_template.file as a relative path confined to the plugin output and rejects absolute, rooted, and traversal values.
You are affected if you are using a version that falls within the vulnerable range and you generate Microsoft 365 Copilot or Teams API plugins from an untrusted or attacker-influenced OpenAPI description.
@microsoft/kiota is vulnerable to Path Traversal in versions 0.0.1 - 1.32.4.
Upgrade the @microsoft/kiota library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant