Kiota Code Generation Literal Injection Vulnerability

A code-generation literal injection vulnerability has been identified in Kiota, an OpenAPI-based HTTP client code generator. This vulnerability affects versions prior to 1.31.1 and arises in multiple writer sinks, such as serialization and deserialization keys, path and query parameter mappings, URL template metadata, enum and property metadata, and default value emission. The issue occurs when malicious values from an OpenAPI description are injected into the generated source without proper escaping, allowing an attacker to break out of string literals and insert additional code into the generated clients. The vulnerability is only practically exploitable if the OpenAPI description used for generation is from an untrusted source or has been compromised. To mitigate this risk, it is recommended to generate clients from trusted, integrity-protected API descriptions.

Impact

Exploitation of this vulnerability allows for code injection into generated clients, where the injected code is executed as part of the client's functionality. This could lead to arbitrary code execution, depending on the context in which the generated client is used.

Reproduction

To reproduce this vulnerability, generate a Kiota client using an OpenAPI description that is either untrusted or has been tampered with. Include a malicious default value in the OpenAPI schema that breaks out of string literals and injects code, such as a C# exception throw statement. After generation, the injected code will be executed as part of the client's methods, demonstrating the successful exploitation of the vulnerability.

Remediation

Upgrade Kiota to version 1.31.1 or later. After upgrading, regenerate or refresh existing generated clients to replace any previously generated vulnerable code with the updated, secure version.