CVE-2023-23619 – @asyncapi/modelina

Package

Manager: npm
Name: @asyncapi/modelina
Vulnerable Version: >=0 <1.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00217 pctl0.44325

Details

Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina ### Impact Anyone who is using the default presets and/or does not handle the functionality themself. ### Patches It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior. ### Workarounds Fully custom presets that change the entire rendering process which can then escape the user input. ### For more information Even though that I changed all the presets here, the vulnerability is still present throughout. I am using a JSON Schema here for simplicity. ```ts const jsonSchemaDoc = { $id: 'CustomClass', type: 'object', properties: { 'property: any; \n constructor(){console.log("injected")} \n private _temp': { type: 'string' }, } }; generator = new TypeScriptGenerator( { presets: [ { class: { property({ propertyName, content }) { return `private ${propertyName}: any;`; }, ctor() { return ''; }, getter() { return ''; }, setter() { return ''; } } } ] } ); const inputModel = await generator.process(jsonSchemaDoc); ``` This would render ```ts export class CustomClass { private property: any; constructor(){console.log("injected")} private _temp: any; private additionalProperties: any; } ```

Metadata

Created: 2021-09-21T18:41:59Z
Modified: 2023-01-26T21:57:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-4jg2-84c2-pj95/GHSA-4jg2-84c2-pj95.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-4jg2-84c2-pj95
Finding: F184
Auto approve: 1