@microsoft/kiota is vulnerable to Server-Side Request Forgery (SSRF)
71
High Risk
Kiota resolves OpenAPI $ref values by fetching remote http(s) URLs and reading local files, including absolute and out-of-tree paths, and inlines the referenced schema into the generated client. Running generation on an attacker-controlled description causes the build host to make outbound requests to attacker or internal URLs and to read arbitrary local files whose contents are inlined into the generated client. This enables server-side request forgery along with remote and local file inclusion, without code execution. The fix makes external reference resolution default-deny and requires explicit allow-listing via a new allowed-origins parameter.
You are affected if you are using a version that falls within the vulnerable range and you run generation on an untrusted or attacker-influenced OpenAPI description that contains external $ref values.
@microsoft/kiota is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 1.32.4.
Upgrade the @microsoft/kiota library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant