Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Quarkus OpenAPI Generator Can Write Files Outside Intended Directory
GHSA-jx2w-vp7f-456q
Summary
A bug in the Quarkus OpenAPI Generator extension allows attackers who control the ZIP files used for code generation to write files outside the intended directory, which can lead to data being overwritten or deleted. This happens when the Quarkus OpenAPI Generator is used in a way that doesn't properly validate the file paths in the ZIP files. To fix this, make sure to update the Quarkus OpenAPI Generator extension to the latest version.
What to do
- Update quarkiverse io.quarkiverse.openapi.generator:quarkus-openapi-generator to version 2.16.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| quarkiverse | io.quarkiverse.openapi.generator:quarkus-openapi-generator | <= 2.15.0 | 2.16.0 |
Original title
quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class
Original description
### Summary
A path traversal vulnerability was discovered in the quarkus-openapi-generator extension
### Details
The `unzip()` method in `ApicurioCodegenWrapper.java` extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as `new File(toOutputDir, entry.getName())` and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., `../../malicious.java`) would write files outside the target directory.
The interesting thing is that the client module in the same repository already has the correct fix. `OpenApiGeneratorStreamCodeGen.java` at line 137 performs proper `normalize()` and `startsWith()` validation. The server module was simply missed.
### PoC
This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.
1. Create a ZIP file containing an entry named `../../proof.txt` with arbitrary content
2. Configure quarkus-openapi-generator to use the server (Apicurio) code generation path
3. Serve the malicious ZIP from a controlled or MITM'd Apicurio registry endpoint
4. Trigger code generation
5. Observe that `proof.txt` is written two directories above the intended output
### Impact
An attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.
A path traversal vulnerability was discovered in the quarkus-openapi-generator extension
### Details
The `unzip()` method in `ApicurioCodegenWrapper.java` extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as `new File(toOutputDir, entry.getName())` and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., `../../malicious.java`) would write files outside the target directory.
The interesting thing is that the client module in the same repository already has the correct fix. `OpenApiGeneratorStreamCodeGen.java` at line 137 performs proper `normalize()` and `startsWith()` validation. The server module was simply missed.
### PoC
This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.
1. Create a ZIP file containing an entry named `../../proof.txt` with arbitrary content
2. Configure quarkus-openapi-generator to use the server (Apicurio) code generation path
3. Serve the malicious ZIP from a controlled or MITM'd Apicurio registry endpoint
4. Trigger code generation
5. Observe that `proof.txt` is written two directories above the intended output
### Impact
An attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.
ghsa CVSS4.0
6.3
Vulnerability type
CWE-22
Path Traversal
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026