External risk intelligence

OpenAPI Generator SSRF Vulnerability Affecting Client Generation

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2023-27162

The vulnerability exists in an API endpoint (/api/gen/clients/{language}) provided by the openapi-generator tool. As this tool is frequently deployed as a web-based API service or generator portal exposed to developers or automated pipelines over a network, it is commonly configured as an internet-accessible or externally reachable interface.

Server-Side Request Forgery

Openapi Generator Openapi Generator

6.4.0 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in openapi-generator allows unauthorized access to internal network resources and sensitive information through a crafted API request. This issue, classified as critical, could potentially expose confidential data and disrupt network operations if exploited. The primary concern is confirming if your organization uses this technology and is exposed.

  • API tool can expose network resources.
  • Vulnerability allows access to sensitive information.
  • Confirm technology use and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to the API endpoint that handles client generation. This request leverages the `/api/gen/clients/{language}` component to trick the server into making an unintended request to an internal or external resource. This occurs because the server does not properly validate the input used in constructing the request path.

  • Entry condition: Network access to the API.
  • Trigger point: A crafted API request to `/api/gen/clients/{language}`.
  • Resulting risk: Sensitive information disclosure and network resource access.

Live Threat

Current exploitation, exposure, and threat context

A Server-Side Request Forgery vulnerability in openapi-generator could allow an unauthenticated attacker to make arbitrary network requests to internal or external resources by sending a crafted API request to the `/api/gen/clients/{language}` endpoint. This could lead to the exposure of sensitive information or unauthorized access to network resources.

  • Network resources and sensitive data.
  • Via crafted API requests to a vulnerable endpoint.
  • Access to internal systems and data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The openapi-generator tool, specifically versions up to 6.4.0, contains a critical Server-Side Request Forgery (SSRF) vulnerability that could allow attackers to access network resources and sensitive information. Responsibility for addressing this typically falls to the teams managing the application development lifecycle or the infrastructure hosting the generator. The immediate first step should be to identify all instances of this tool, determine their exposure and criticality, and then engage the accountable owner to plan remediation, potentially involving vendor coordination or temporary risk reduction measures if direct patching is not feasible during business hours.

  • Application or Infrastructure teams own.
  • Verify exposure and criticality first.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is openapi-generator and how is it used?

OpenAPI Generator is an open-source tool used by developers to automatically create API client libraries, server stubs, and documentation based on OpenAPI specifications. It streamlines the development lifecycle by automating the generation of boilerplate code for various programming languages, ensuring consistency between API definitions and their implementations.

What is the CWE-918 weakness in CVE-2023-27162?

CVE-2023-27162 involves Server-Side Request Forgery (SSRF), categorized as CWE-918. This means the software fails to properly validate user-supplied input when constructing network requests. Consequently, an attacker can manipulate the application into performing requests on its behalf, effectively using the server as a proxy to interact with internal or external resources that should be off-limits.

How does an attacker trigger this SSRF vulnerability?

The vulnerability is triggered by sending a specially crafted API request to the specific endpoint path /api/gen/clients/{language}. Simply having the software installed is not enough; the flaw is only reachable when the generator service is active and accepts network requests. Legitimate API calls that do not include malicious input targeting the request path do not trigger this specific issue.

Is my instance of openapi-generator at risk?

According to Halo Surface Signal, this vulnerability is most relevant if your openapi-generator instance is configured as a web-based service or developer portal. Because the tool is frequently deployed to be reachable over a network for automated pipelines or developer access, internet-facing instances carry a higher risk. You should evaluate whether your deployment is exposed to external traffic or restricted to internal users.

What steps should I take to address this vulnerability?

Begin by identifying all deployments of openapi-generator versions up to 6.4.0 within your environment. Once mapped, verify the network exposure and criticality of each instance. Coordinate with your application or infrastructure teams to plan remediation, which may involve updating to a version where this issue is resolved or applying temporary network controls to limit access to the vulnerable API endpoint.

References