fix(deps): update module github.com/oapi-codegen/oapi-codegen/v2 to v2.7.1 [security] (release-2.3)#198
Open
crossplane-renovate[bot] wants to merge 1 commit into
Conversation
crossplane-renovate
Bot
requested review from
a team,
jcogilvie and
tampakrap
as code owners
July 18, 2026 08:35
Contributor
Author
|
crossplane-renovate
Bot
requested review from
bobh66
and removed request for
a team
July 18, 2026 08:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.7.0→v2.7.1oapi-codegen: OpenAPI Server Description Escapes Generated Go Comment and Injects Executable Code
GHSA-rjwr-m7qx-3fjr
More information
Details
Summary
The vulnerability in oapi-codegen seems to be similar with CVE-2026-22785, which is a generated-code injection issue where untrusted OpenAPI
summarytext is embedded into generated TypeScript MCP server source without proper escaping.oapi-codegenhas a similar vulnerability in its server URL generator: untrusted OpenAPIservers[].descriptiontext is inserted into a generated Go line comment without normalizing embedded newlines. A crafted description can break out of the comment, add imports throughgoimports, and emit executable Go declarations into the generated package.Details
The vulnerable sink is in
pkg/codegen/templates/server-urls.tmpl.This template assumes the OpenAPI server description remains inside a single Go line comment. However, OpenAPI descriptions are attacker-controlled strings and may contain newlines. Once a newline is present, the next line is no longer part of the comment.
The same raw description is also used in the function form of server URL generation:
Identifier generation does not protect this sink. In
pkg/codegen/server_urls.go, the description is normalized only for the generated Go identifier:The identifier is sanitized, but the raw
server.Descriptionis still rendered in the comment template. This leaves the code-generation context vulnerable.The generated file is then formatted with
goimportsinpkg/codegen/codegen.go:SanitizeCodeonly removes byte-order marks:It does not escape comments, replace newlines, or otherwise serialize untrusted text for a Go source-code context. As a result, attacker-controlled source can be preserved and formatted as valid Go.
How to Reproduce
The attacker-controlled input is an OpenAPI document whose
servers[].descriptioncontains a newline followed by Go declarations:Generate Go source with server URL generation enabled. No special local path or helper file is required for the vulnerability; the malicious description is copied into the generated source-code context.
The generated source contains attacker-controlled executable code:
Impact
An attacker who can supply or influence an OpenAPI document consumed by
oapi-codegencan inject arbitrary Go source into the generated package. In common API-client/server generation workflows, this can lead to build-time or runtime code execution in developer machines, CI systems, or downstream applications that trust generated code.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
oapi-codegen/oapi-codegen (github.com/oapi-codegen/oapi-codegen/v2)
v2.7.1: Security fix for Go code injectionCompare Source
This is a security fix for a code injection vulnerability in v2.7.0, please see:
GHSA-rjwr-m7qx-3fjr
We're more strict about escaping strings passed into the OpenAPI specification, so that people can't inject Go code into generated code.
The problem was that it was possible to craft a description for server URL's which would emit arbitrary Go code, so if an attacker controlled your specification, they could inject Go code into your generated code which could do something malicious.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.