@microsoft/kiota is vulnerable to Command Injection
93
Critical Risk
The kiota info command reads the dependencyInstallCommand value from the x-ms-kiota-info OpenAPI extension and presents it as the tool's own recommended install command, and also exposes it raw through kiota info --json. An attacker-controlled description can supply an arbitrary shell command that a developer executes when following the tool's hint, or that the IDE extension runs automatically. This results in command injection and arbitrary code execution on the developer or CI host. The fix removes support for spec-supplied install commands so only kiota's built-in package-manager templates are surfaced.
You are affected if you are using a version that falls within the vulnerable range and you run kiota info on an untrusted or attacker-influenced OpenAPI description and execute the surfaced install command.
@microsoft/kiota is vulnerable to Command Injection in versions 0.0.1 - 1.32.4.
Upgrade the @microsoft/kiota library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant