Listen to this Post
The vulnerability arises from how the generated authentication filter matches incoming request paths against OpenAPI path templates. Specifically, when deciding whether to attach credentials, the runtime authentication layer compares the outgoing request’s path and method to the set of protected OpenAPI operations. The path‑template matching logic incorrectly treats `{param}` placeholders as a regular expression that matches any character sequence, including the slash (/). As a result, a protected path like `/repos/{ref}` will also match a completely different operation’s path such as /repos/foo/bar, even though the latter is defined as /repos/{owner}/{repo}. When the client invokes the unprotected operation, the authentication filter mistakenly concludes that a protected operation has been matched and attaches its credentials. This flawed behaviour affects all authentication providers that rely on the shared path‑matching logic, including bearer tokens, OAuth, API‑keys, and basic authentication. The issue can be triggered through normal generated‑client usage without any modification of the generated code.
DailyCVE Form (3 words max per line):
- Platform: Quarkus OpenAPI Generator
- Version: 2.16.0
- Vulnerability: Authentication Bypass
- Severity: Medium
- Date: 2025-04-09
- Prediction: Patched in 2.16.1 (estimated 2025-05-15)
What Undercode Say
Analytics
The following commands demonstrate the vulnerable environment and reproduce the credential‑leak issue:
Create the PoC directory structure
mkdir -p /tmp/qoag-poc/src/main/{java/org/acme,resources,openapi}
Download the pom.xml, OpenAPI spec, application.properties, and TriggerResource.java
(as provided in the )
Start a mock server (Python) that logs received credentials
python -c '
from http.server import BaseHTTPRequestHandler, HTTPServer
class H(BaseHTTPRequestHandler):
def do_GET(self):
print(f"PATH={self.path}")
print(f"AUTH={self.headers.get('Authorization')}")
self.send_response(200)
self.end_headers()
self.wfile.write(b"ok")
def log_message(self, fmt, args): pass
HTTPServer(("127.0.0.1", 18080), H).serve_forever()
' &
Build and run the Quarkus application
cd /tmp/qoag-poc
mvn -q package -DskipTests
java -jar target/quarkus-app/quarkus-run.jar &
Trigger the vulnerable call
curl -s http://127.0.0.1:8081/trigger
The output shows the mock server receiving `Authorization: Bearer SECRET` for an endpoint that should not require authentication.
Exploit
An attacker can force a client to send bearer tokens, API keys, or basic credentials to endpoints that are not meant to be authenticated. By constructing a request that matches a protected path’s pattern more broadly (e.g., using additional path segments), the client attaches credentials to an unprotected operation. This allows the attacker to capture privileged credentials or invoke privileged actions on low‑trust routes.
Protection
- Upgrade to Quarkus OpenAPI Generator version 2.16.1 or later once available.
- Ensure that path templates use explicit, non‑greedy matching; avoid relying on generic placeholders for security‑sensitive decisions.
- Review your OpenAPI specifications and explicitly define security requirements for every operation; do not rely solely on default security schemes.
Impact
- Credential Exposure: Bearer tokens, API keys, or basic credentials are sent to unintended endpoints, potentially leaking secrets to lower‑trust services.
- Privilege Misuse: Public operations may be invoked with elevated privileges, leading to unauthorized data access or actions.
- Security Boundary Violation: The intended separation between protected and unprotected operations is blurred, increasing the attack surface.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
