Vulnerability DatabaseGHSA-2hx3-vp6r-mg3f

GHSA-2hx3-vp6r-mg3f:
C# vulnerability analysis and mitigation

Code Generation Literal Injection in Kiota

Summary

Kiota versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients.

Impact and Preconditions

This issue is only practically exploitable when:

the OpenAPI description used for generation is from an untrusted source, or
a normally trusted OpenAPI description has been compromised/tampered with.If you only generate from trusted, integrity-protected API descriptions, risk is significantly reduced.

Affected Versions

Affected: all versions < 1.31.1
Fixed: 1.31.1 and later

Illustrative Exploit Example

Example OpenAPI fragment (malicious default value)

openapi: 3.0.1
info:
  title: Exploit Demo
  version: 1.0.0
components:
  schemas:
    User:
      type: object
      properties:
        displayName:
          type: string
          default: "\"; throw new System.Exception(\"injected\"); //"

Example generated C# snippet before fix (illustrative)

public User() {
    DisplayName = ""; throw new System.Exception("injected"); //";
}

The injected payload escapes the intended string context and introduces attacker-controlled statements in generated code.

Note: this exploit is not limited to default values, but may also impact properties names (serialization), path or query parameters, enum representations and other locations.

Remediation

Upgrade Kiota to 1.31.1 or later.
Regenerate/refresh existing generated clients as a precaution:

kiota update

Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.

Acknowledgement

We would like to thank the researcher Thanatos Tian (Polyu) for finding this issue and for his contribution to this open source project.

Source: NVD

Related C# vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-2hx3-vp6r-mg3f	HIGH	7.3	C#	kiota	No	Yes	Apr 14, 2026
GHSA-x928-4434-crqj	LOW	3.7	C#	Magick.NET-Q16-HDRI-arm64	No	Yes	Apr 14, 2026
GHSA-pmpg-6pww-fg6q	LOW	3.3	C#	Magick.NET-Q8-arm64	No	Yes	Apr 14, 2026
GHSA-g4vj-cjjj-v7hg	LOW	N/A	C#	NuGet.CommandLine	No	Yes	Apr 14, 2026
GHSA-fcpv-w245-r2q7	LOW	N/A	C#	DotNetNuke.Core	No	Yes	Apr 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-2hx3-vp6r-mg3f: C# vulnerability analysis and mitigation