Intel

AIKIDO-2026-413518

@microsoft/kiota is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)CVE-2026-59867 Published 3 days ago

71

High Risk

This Affects:

JS@microsoft/kiota
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

Kiota resolves OpenAPI $ref values by fetching remote http(s) URLs and reading local files, including absolute and out-of-tree paths, and inlines the referenced schema into the generated client. Running generation on an attacker-controlled description causes the build host to make outbound requests to attacker or internal URLs and to read arbitrary local files whose contents are inlined into the generated client. This enables server-side request forgery along with remote and local file inclusion, without code execution. The fix makes external reference resolution default-deny and requires explicit allow-listing via a new allowed-origins parameter.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run generation on an untrusted or attacker-influenced OpenAPI description that contains external $ref values.

Background info

@microsoft/kiota is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the @microsoft/kiota library to the patch version.