GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen
Vulnerability ID: GHSA-RJWR-M7QX-3FJR
CVSS Score: 8.6
Published: 2026-07-17
An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.
TL;DR
A code injection flaw in oapi-codegen allows attackers to execute arbitrary Go code during compilation via crafted OpenAPI specifications.
Technical Details
- CWE ID: CWE-94, CWE-116, CWE-74
- Attack Vector: Local/Remote via Malicious OpenAPI Spec
- CVSS Base Score: 8.6 (High) / 10.0 (Critical)
- Exploit Status: Proof-of-Concept
- CISA KEV Status: Not Listed
Affected Systems
- oapi-codegen command-line utility
- CI/CD pipelines relying on automated OpenAPI code generators
-
oapi-codegen: < 2.7.1 (Fixed in:
v2.7.1)
Code Analysis
Commit: 19c6282
Fix string escaping and comment sanitization in templates
Mitigation Strategies
- Upgrade oapi-codegen to v2.7.1 or higher
- Scan incoming third-party OpenAPI schema specifications for injection payloads
- Avoid manual string quoting in custom code generation templates
Remediation Steps:
- Run 'go get github.com/oapi-codegen/oapi-codegen/v2@v2.7.1' to update the module dependency
- Re-run code generation pipelines using the updated version to overwrite vulnerable generated files
- Inspect any customized templates to verify they utilize standard library formatting helpers
References
Read the full report for GHSA-RJWR-M7QX-3FJR on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)