Intel

AIKIDO-2026-55303

@microsoft/kiota is vulnerable to Command Injection

Command InjectionCVE-2026-59865 Published 3 days ago

93

Critical Risk

This Affects:

JS@microsoft/kiota
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

The kiota info command reads the dependencyInstallCommand value from the x-ms-kiota-info OpenAPI extension and presents it as the tool's own recommended install command, and also exposes it raw through kiota info --json. An attacker-controlled description can supply an arbitrary shell command that a developer executes when following the tool's hint, or that the IDE extension runs automatically. This results in command injection and arbitrary code execution on the developer or CI host. The fix removes support for spec-supplied install commands so only kiota's built-in package-manager templates are surfaced.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run kiota info on an untrusted or attacker-influenced OpenAPI description and execute the surfaced install command.

Background info

@microsoft/kiota is vulnerable to Command Injection in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the @microsoft/kiota library to the patch version.