Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
Kiota: Malicious Code Injection in Generated Clients
GHSA-2hx3-vp6r-mg3f
Summary
Kiota versions prior to 1.31.1 allow attackers to inject malicious code into generated clients if they control the OpenAPI description or if it's been tampered with. This can happen when Kiota generates code from untrusted or compromised API descriptions. Update to version 1.31.1 or later to fix this issue.
What to do
- Update kiota to version 1.31.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | kiota | <= 1.31.1 | 1.31.1 |
Original title
Kiota: Code Generation Literal Injection
Original description
# Code Generation Literal Injection in Kiota
## Summary
Kiota versions **prior to 1.31.1** are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission).
When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients.
## Impact and Preconditions
This issue is only practically exploitable when:
1. the OpenAPI description used for generation is from an **untrusted source**, or
2. a normally trusted OpenAPI description has been **compromised/tampered with**.
If you only generate from trusted, integrity-protected API descriptions, risk is significantly reduced.
## Affected Versions
- **Affected:** all versions **< 1.31.1**
- **Fixed:** **1.31.1** and later
## Illustrative Exploit Example
### Example OpenAPI fragment (malicious default value)
```yaml
openapi: 3.0.1
info:
title: Exploit Demo
version: 1.0.0
components:
schemas:
User:
type: object
properties:
displayName:
type: string
default: "\"; throw new System.Exception(\"injected\"); //"
```
### Example generated C# snippet before fix (illustrative)
```csharp
public User() {
DisplayName = ""; throw new System.Exception("injected"); //";
}
```
The injected payload escapes the intended string context and introduces attacker-controlled statements in generated code.
> Note: this exploit is not limited to default values, but may also impact properties names (serialization), path or query parameters, enum representations and other locations.
## Remediation
1. Upgrade Kiota to **1.31.1 or later**.
2. Regenerate/refresh existing generated clients as a precaution:
```bash
kiota update
```
Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
## Acknowledgement
We would like to thank the researcher Thanatos Tian (Polyu) for finding this issue and for his contribution to this open source project.
## Summary
Kiota versions **prior to 1.31.1** are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission).
When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients.
## Impact and Preconditions
This issue is only practically exploitable when:
1. the OpenAPI description used for generation is from an **untrusted source**, or
2. a normally trusted OpenAPI description has been **compromised/tampered with**.
If you only generate from trusted, integrity-protected API descriptions, risk is significantly reduced.
## Affected Versions
- **Affected:** all versions **< 1.31.1**
- **Fixed:** **1.31.1** and later
## Illustrative Exploit Example
### Example OpenAPI fragment (malicious default value)
```yaml
openapi: 3.0.1
info:
title: Exploit Demo
version: 1.0.0
components:
schemas:
User:
type: object
properties:
displayName:
type: string
default: "\"; throw new System.Exception(\"injected\"); //"
```
### Example generated C# snippet before fix (illustrative)
```csharp
public User() {
DisplayName = ""; throw new System.Exception("injected"); //";
}
```
The injected payload escapes the intended string context and introduces attacker-controlled statements in generated code.
> Note: this exploit is not limited to default values, but may also impact properties names (serialization), path or query parameters, enum representations and other locations.
## Remediation
1. Upgrade Kiota to **1.31.1 or later**.
2. Regenerate/refresh existing generated clients as a precaution:
```bash
kiota update
```
Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
## Acknowledgement
We would like to thank the researcher Thanatos Tian (Polyu) for finding this issue and for his contribution to this open source project.
ghsa CVSS4.0
7.3
Vulnerability type
CWE-94
Code Injection
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026