GHSA-2JCC-MXV7-P3F9
Vulnerability from github – Published: 2026-07-07 23:45 – Updated: 2026-07-07 23:45Summary
From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false (library: openapi3.Loader.IsExternalRefsAllowed = false) when loading a spec from a git revision (the rev:path form, e.g. main:openapi.yaml). External $refs were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there.
Impact
A caller who set --allow-external-refs=false specifically to safely process untrusted specs remained exposed — on the git-revision load path only — to:
- SSRF via
$ref: "http://<internal-host>/…", and - Local file reads via
$ref: "/path"orfile://.
Affected callers:
- CLI:
oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false(andbreaking/changelog/summary, and thegit-diff-driver) run over untrusted spec content. - Go library consumers of
github.com/oasdiff/oasdiff/loadthat setIsExternalRefsAllowed = falseand load from a git-revision source viaload.NewSpecInfo.
The file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (true) are not in scope for this advisory.
Patches
v1.18.1 enforces the external-refs policy on the git-revision path (so --allow-external-refs=false now blocks external $refs there) and returns a dedicated exit code (123) when an external $ref is refused.
Workarounds
- Upgrade to v1.18.1, or
- Avoid the git-revision input form when processing untrusted specs with external refs disabled.
Notes
- Introduced in v1.13.2 (#832, which added
$ref-chain resolution on the git-revision path); fixed in v1.18.1 (#974, #975). - The permissive default (
allow-external-refs: true) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.18.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/oasdiff/oasdiff"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.2"
},
{
"fixed": "1.18.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53508"
],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-73",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-07T23:45:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nFrom **v1.13.2** through **v1.18.0**, oasdiff did not enforce `--allow-external-refs=false` (library: `openapi3.Loader.IsExternalRefsAllowed = false`) when loading a spec from a **git revision** (the `rev:path` form, e.g. `main:openapi.yaml`). External `$ref`s were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there.\n\n## Impact\n\nA caller who set `--allow-external-refs=false` *specifically to safely process untrusted specs* remained exposed \u2014 on the git-revision load path only \u2014 to:\n\n- **SSRF** via `$ref: \"http://\u003cinternal-host\u003e/\u2026\"`, and\n- **Local file reads** via `$ref: \"/path\"` or `file://`.\n\nAffected callers:\n\n- **CLI:** `oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false` (and `breaking` / `changelog` / `summary`, and the `git-diff-driver`) run over untrusted spec content.\n- **Go library consumers** of `github.com/oasdiff/oasdiff/load` that set `IsExternalRefsAllowed = false` and load from a git-revision source via `load.NewSpecInfo`.\n\nThe file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (`true`) are not in scope for *this* advisory.\n\n## Patches\n\n**v1.18.1** enforces the external-refs policy on the git-revision path (so `--allow-external-refs=false` now blocks external `$ref`s there) and returns a dedicated exit code (`123`) when an external `$ref` is refused.\n\n## Workarounds\n\n- Upgrade to **v1.18.1**, or\n- Avoid the git-revision input form when processing untrusted specs with external refs disabled.\n\n## Notes\n\n- Introduced in **v1.13.2** (#832, which added `$ref`-chain resolution on the git-revision path); fixed in **v1.18.1** (#974, #975).\n- The permissive **default** (`allow-external-refs: true`) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).",
"id": "GHSA-2jcc-mxv7-p3f9",
"modified": "2026-07-07T23:45:05Z",
"published": "2026-07-07T23:45:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oasdiff/oasdiff/security/advisories/GHSA-2jcc-mxv7-p3f9"
},
{
"type": "WEB",
"url": "https://github.com/oasdiff/oasdiff/pull/832"
},
{
"type": "WEB",
"url": "https://github.com/oasdiff/oasdiff/pull/974"
},
{
"type": "WEB",
"url": "https://github.com/oasdiff/oasdiff/pull/975"
},
{
"type": "PACKAGE",
"url": "https://github.com/oasdiff/oasdiff"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.