@microsoft/kiota is vulnerable to Path Traversal
70
High Risk
Kiota honors the per-client and per-plugin outputPath values in a committed .kiota/workspace.json without confining them to the workspace. A malicious repository or pull request can set outputPath to an absolute or traversal path so that running the documented client or plugin generate command writes the generated files outside the workspace. This yields arbitrary file write on the developer or CI host filesystem. The fix validates each outputPath as a relative subdirectory of the workspace and aborts generation when a resolved path escapes it.
You are affected if you are using a version that falls within the vulnerable range and you run kiota client generate or kiota plugin generate against a .kiota/workspace.json from an untrusted repository or pull request.
@microsoft/kiota is vulnerable to Path Traversal in versions 0.0.1 - 1.32.4.
Upgrade the @microsoft/kiota library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant