Intel

AIKIDO-2026-686799

@microsoft/kiota is vulnerable to Path Traversal

Path TraversalCVE-2026-59866 Published 3 days ago

93

Critical Risk

This Affects:

JS@microsoft/kiota
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

Kiota emits the clientClassName and clientNamespaceName values from the x-ms-kiota-info OpenAPI extension without identifier or path sanitization, using them as both the generated class or namespace name and part of the output path. When generation runs without an explicit class name, an attacker-controlled description can set these values to write the generated source file outside the intended output directory and to inject text into the generated declarations. The dominant impact is arbitrary file write, with generated-code corruption as a secondary effect. The fix sanitizes both values to allowed identifier characters before they influence the path or the declaration.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you generate a client without an explicit --class-name from an untrusted or attacker-influenced OpenAPI description.

Background info

@microsoft/kiota is vulnerable to Path Traversal in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the @microsoft/kiota library to the patch version.