Beware of Code Injection Vulnerability in Modelina Data Modeling Library

CVECVE-2023-23619
CVSScvssV3_1: 10
SourceCVE-2023-23619

Modelina is a popular open source library for generating data models from API specifications like OpenAPI and AsyncAPI. Unfortunately, versions prior to 1.0.0 are vulnerable to code injection attacks.

Attackers could potentially inject malicious code into the API definitions that are then rendered by Modelina. This code would get executed on the servers of anyone using the vulnerable versions of the library.

Code injection vulnerabilities occur when user-controlled input is sent to an interpreter like a programming language compiler/interpreter without proper validation or escaping. In this case, the API definitions are the user input that gets compiled by Modelina.

The maintainers have partially addressed the issue in version 1.0.0 but note it’s impossible to fully prevent since users have access to the original definitions. The best way to protect yourself is to upgrade to the latest 1.x version of Modelina and only access the generated models without touching the raw input.

You should also consider writing your own custom presets from scratch if you need full control over how definitions are rendered. This prevents any chance of unexpected code execution. Staying on top of library updates is also important to get the latest security fixes.

References