Aikido Intel
Secure My Code
Intel

AIKIDO-2026-570574

datamodel-code-generator is vulnerable to Code Injection

Code InjectionCVE-2026-54654 Published 4 days ago

78

High Risk

This Affects:

PYTHONdatamodel-code-generator
0.14.1 - 0.60.1
Fixed in 0.60.2
Are you affected? Scan for Free

TL;DR

When --extra-template-data supplies a model comment containing a bare carriage return or other line-terminating control characters, built-in Jinja2 templates render the value into generated Python # comments without escaping. Python treats bare CR as a physical line terminator, so attacker text after the CR can be parsed as executable Python in the generated class body. Importing the generated module executes the injected code at class-definition time. The fix normalizes comment values and prefixes continuation lines so attacker content stays inside comment blocks.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and pass attacker-influenced input through --extra-template-data.

Background info

datamodel-code-generator is vulnerable to Code Injection in versions 0.14.1 - 0.60.1.

How to fix this

Upgrade the datamodel-code-generator library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done