AIKIDO-2026-778122
datamodel-code-generator is vulnerable to Code Injection
88
High Risk
This Affects:
datamodel-code-generatorTL;DR
When generating Python models from attacker-controlled JSON Schema, OpenAPI, or related schema input, schema-provided default_factory values are interpolated verbatim into generated Field(default_factory=...) or field(default_factory=...) calls without validation. The expression is evaluated at class-definition time when the generated module is imported, enabling arbitrary code execution in the developer or CI process. Default invocation against a malicious schema reaches this sink without special CLI flags. The fix whitelists only dict, list, and set as allowed factory names and rejects other values before code generation.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
datamodel-code-generator is vulnerable to Code Injection in versions 0.17.0 - 0.60.1.
How to fix this
Upgrade the datamodel-code-generator library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant