DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-RJWR-M7QX-3FJR: GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

Vulnerability ID: GHSA-RJWR-M7QX-3FJR
CVSS Score: 8.6
Published: 2026-07-17

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

TL;DR

A code injection flaw in oapi-codegen allows attackers to execute arbitrary Go code during compilation via crafted OpenAPI specifications.


Technical Details

  • CWE ID: CWE-94, CWE-116, CWE-74
  • Attack Vector: Local/Remote via Malicious OpenAPI Spec
  • CVSS Base Score: 8.6 (High) / 10.0 (Critical)
  • Exploit Status: Proof-of-Concept
  • CISA KEV Status: Not Listed

Affected Systems

  • oapi-codegen command-line utility
  • CI/CD pipelines relying on automated OpenAPI code generators
  • oapi-codegen: < 2.7.1 (Fixed in: v2.7.1)

Code Analysis

Commit: 19c6282

Fix string escaping and comment sanitization in templates

Mitigation Strategies

  • Upgrade oapi-codegen to v2.7.1 or higher
  • Scan incoming third-party OpenAPI schema specifications for injection payloads
  • Avoid manual string quoting in custom code generation templates

Remediation Steps:

  1. Run 'go get github.com/oapi-codegen/oapi-codegen/v2@v2.7.1' to update the module dependency
  2. Re-run code generation pipelines using the updated version to overwrite vulnerable generated files
  3. Inspect any customized templates to verify they utilize standard library formatting helpers

References


Read the full report for GHSA-RJWR-M7QX-3FJR on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)