Intel

AIKIDO-2026-739977

@asyncapi/generator is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

59

Medium Risk

This Affects:

JS@asyncapi/generator
1.7.0 - 3.2.2
Fixed in 3.2.3
Are you affected? Scan for Free

TL;DR

@asyncapi/generator can map a remote schema base URL to a local folder so $refs are resolved from disk. The resolver builds the local file path by string-replacing the base URL prefix with the mapped folder and reads it without normalizing the result or confirming it stays inside that folder. A malicious AsyncAPI document can use ../ traversal sequences, or a symlink planted under the mapped folder, to make the resolver read files outside the intended directory and pull their contents into the generation process. The fix canonicalizes the resolved path and rejects any reference that escapes the mapped base folder.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your project enables the mapBaseUrlToFolder option while generating from untrusted AsyncAPI documents.

Background info

@asyncapi/generator is vulnerable to Path Traversal in versions 1.7.0 - 3.2.2.

How to fix this

Upgrade the @asyncapi/generator library to the patch version.