Listen to this Post
How GHSA-v5pm-xwqc-g5wc Works
The vulnerability exists in how the Microsoft.OpenApi library, also known as OpenAPI.NET, handles the parsing and resolution of schema references within an OpenAPI document. A core feature of the OpenAPI specification is the ability to define reusable components, such as schemas, and reference them using the `$ref` keyword. This allows for cleaner and more maintainable API definitions by avoiding duplication.
The issue arises when these schema references form a cycle. For example, Schema A can reference Schema B, and Schema B can reference Schema A. Such circular references, while syntactically valid in the OpenAPI specification, are problematic for many parsers.
When the OpenAPI.NET library’s public reader APIs attempt to parse a document containing these circular references, the resolution logic enters an infinite loop. The parser tries to resolve the reference to Schema A, which points to Schema B, which in turn points back to Schema A. This creates a recursive traversal that never terminates.
Each recursive call consumes a small amount of memory on the call stack. As the loop continues indefinitely, the call stack grows until it exceeds its allocated limit, resulting in a StackOverflowException. This exception is fatal and causes the entire process to terminate abruptly, leading to a denial of service.
This vulnerability has been confirmed to affect both the JSON and YAML reader paths within the library, meaning any application that parses OpenAPI documents in either format is susceptible. The issue has been reproduced in a standalone harness and also within Microsoft’s own Kiota tool, which uses the OpenAPI.NET library in its `kiota show –openapi
The impact is strictly limited to availability, i.e., process termination. It does not lead to remote code execution, data exposure, or any other type of security compromise. The vulnerability is triggered by a maliciously crafted OpenAPI document, making it a risk for any application, CLI, or service that parses untrusted OpenAPI documents in-process.
DailyCVE Form
Platform: .NET Library
Version: 2.0.0-preview11 to 2.7.4, 3.0.0 to 3.5.3
Vulnerability : Denial of Service (Stack Overflow)
Severity: Medium
date: 2026-05-28
Prediction: 2026-06-04
Analytics
What Undercode Say:
The vulnerability is triggered by a specific, yet simple, OpenAPI document structure. The following payload is sufficient to crash any affected application that parses it.
Payload (OpenAPI JSON):
{
"openapi": "3.0.0",
"info": {
"": "Test",
"version": "0.0.1"
},
"paths": {},
"components": {
"schemas": {
"A": {
"$ref": "/components/schemas/B"
},
"B": {
"$ref": "/components/schemas/A"
}
}
}
}
Reproduction with Kiota:
The vulnerability can be reproduced using the Kiota CLI tool, which utilizes the vulnerable library.
kiota show --openapi malicious-openapi.json
This command will cause the process to crash with a StackOverflowException.
Affected Package Versions:
- 2.x Major Version: `>= 2.0.0-preview11` and `<= 2.7.4` - 3.x Major Version: `>= 3.0.0` and `<= 3.5.3`
Patched Versions:
- 2.x Major Version: `2.7.5` and above
- 3.x Major Version: `3.5.4` and above
Exploit:
An attacker can exploit this vulnerability by providing a specially crafted OpenAPI document to a vulnerable application. The attack vector depends on how the application processes OpenAPI documents. Common scenarios include:
1. Malicious API Specification: An attacker could host a malicious API specification and trick a developer or a tool into downloading and parsing it.
2. Man-in-the-Middle (MitM) Attack: If an application fetches an OpenAPI document over an insecure connection (e.g., HTTP), an attacker could intercept the traffic and replace the legitimate document with the malicious one.
3. Compromised Dependency: An attacker could compromise a dependency or a service that provides an OpenAPI document, injecting the malicious payload.
The exploit is reliable and requires no special privileges. The only requirement is that the target application parses the malicious document using the vulnerable OpenAPI.NET library.
Protection:
The primary and most effective protection against this vulnerability is to upgrade the Microsoft.OpenApi library to a patched version.
– Upgrade your NuGet package:
For the 2.x major version line dotnet add package Microsoft.OpenApi --version 2.7.5 For the 3.x major version line dotnet add package Microsoft.OpenApi --version 3.5.4
As a defense-in-depth measure, applications that parse OpenAPI documents from untrusted sources should consider the following:
– Process Isolation: Run the parsing logic in a separate, isolated process. This contains the impact of a crash to the child process, preventing the termination of the main application.
– Input Validation: While not a complete solution, implement pre-parsing checks to detect and reject documents with known circular reference patterns before they reach the vulnerable parser.
– Resource Limits: In some environments, it may be possible to set limits on the call stack size or process lifetime, although this is not a reliable mitigation for a StackOverflowException.
Impact
- Availability: The primary impact is a denial of service. A successful exploit will cause the application process to crash, making it unavailable to legitimate users.
- Development Workflow Disruption: Developers using tools like Kiota that parse OpenAPI documents will experience crashes, hindering their ability to generate API clients.
- Tooling and Services: Any service, CLI tool, or application that parses untrusted OpenAPI documents in-process is vulnerable to being taken offline by an attacker. This could affect API gateways, documentation generators, code generation tools, and testing frameworks.
- Scope: The vulnerability affects a widely used library, potentially impacting a large number of .NET applications and tools that rely on it for OpenAPI processing. The issue is confirmed in both the 2.x and 3.x major version lines of the library.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
