swagger-parser is susceptible to arbitrary code execution attacks. It does not use a safe parsing method in both the readYamlTree()
and readYamlValue()
functions of swagger-parser, allowing malicious YAML files from untrusted remote sources to be parsed to the applications. All the online code generators and validators using this parser will be affected.
github.com/swagger-api/swagger-parser/commit/4044ecfb80732b721ffa206388574cf08bf7d295
github.com/swagger-api/swagger-parser/pull/481
github.com/swagger-api/swagger-parser/releases/tag/v1.0.31
lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE-2017-1000208
lgtm.com/query/2023830455/project:24760076/lang:java/