Microsoft.OpenApi.Kiota.Builder is vulnerable to Server-Side Request Forgery (SSRF)
71
High Risk
Kiota resolves OpenAPI $ref values by fetching remote http(s) URLs and reading local files, including absolute and out-of-tree paths, and inlines the referenced schema into the generated client. Running the generator on an attacker-controlled OpenAPI description whose $ref points at an internal URL or an arbitrary local file causes server-side requests from the build host and disclosure or inclusion of untrusted remote and local content. No code execution results because output sinks stay escaped. The fix makes external reference resolution default-deny and requires explicit opt-in through the --allowed-external-origins parameter.
You are affected if you are using a version that falls within the vulnerable range and you run the generator on untrusted OpenAPI descriptions that contain external references.
Microsoft.OpenApi.Kiota.Builder is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 1.32.4.
Upgrade the Microsoft.OpenApi.Kiota.Builder and/or the Microsoft.OpenApi.Kiota library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant