Swagger has the largest ecosystem of API tooling, thousands of developers are supporting it in almost every modern programming language and deployment environment. Swagger provides users /developers with interactive documentation, client SDK generation and discoverability.
However, Swagger experienced unexpected behaviours lately and this could lead to code execution. The company disclosed some details on the vulnerability, and released a Metasploit exploit module and also proposed a patch.
The release will address a class of vulnerabilities in a Swagger Code Generator in which injectable parameters in a Swagger JSON or YAML file facilitate remote code execution. This vulnerability also applies to NodeJS, PHP, Ruby, and Java and other languages as well. Parameter injection could also affect other code generation tools. Successful exploitation of this vulnerability could result in an attacker injecting arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street