AIKIDO-2026-338559
datamodel-code-generator is vulnerable to Exposure of Sensitive Information
37
Low Risk
This Affects:
datamodel-code-generatorTL;DR
When datamodel-code-generator fetches a remote schema and follows HTTP redirects manually, it re-sends the original request headers, including Authorization, Cookie, and Proxy-Authorization, even when a redirect changes origin. An operator who scopes credentials to a trusted schema host can leak them to an attacker-controlled redirect target via a compromised host or attacker-influenced $ref. The fix strips sensitive headers on cross-origin redirects while preserving them for same-origin hops.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and you pass authentication headers or URL credentials when fetching remote schemas.
Background info
datamodel-code-generator is vulnerable to Exposure of Sensitive Information in versions 0.0.1 - 0.62.0.
How to fix this
Upgrade the datamodel-code-generator library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant