GHSA-JX2W-VP7F-456Q
Vulnerability from github – Published: 2026-04-08 19:14 – Updated: 2026-04-10 21:36Summary
A path traversal vulnerability was discovered in the quarkus-openapi-generator extension
Details
The unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory.
The interesting thing is that the client module in the same repository already has the correct fix. OpenApiGeneratorStreamCodeGen.java at line 137 performs proper normalize() and startsWith() validation. The server module was simply missed.
PoC
This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.
- Create a ZIP file containing an entry named
../../proof.txtwith arbitrary content - Configure quarkus-openapi-generator to use the server (Apicurio) code generation path
- Serve the malicious ZIP from a controlled or MITM'd Apicurio registry endpoint
- Trigger code generation
- Observe that
proof.txtis written two directories above the intended output
Impact
An attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.15.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.quarkiverse.openapi.generator:quarkus-openapi-generator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40180"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T19:14:32Z",
"nvd_published_at": "2026-04-10T20:16:23Z",
"severity": "MODERATE"
},
"details": "### Summary\nA path traversal vulnerability was discovered in the quarkus-openapi-generator extension\n\n### Details\nThe `unzip()` method in `ApicurioCodegenWrapper.java` extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as `new File(toOutputDir, entry.getName())` and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., `../../malicious.java`) would write files outside the target directory.\n\nThe interesting thing is that the client module in the same repository already has the correct fix. `OpenApiGeneratorStreamCodeGen.java` at line 137 performs proper `normalize()` and `startsWith()` validation. The server module was simply missed.\n\n### PoC\nThis vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.\n\n1. Create a ZIP file containing an entry named `../../proof.txt` with arbitrary content\n2. Configure quarkus-openapi-generator to use the server (Apicurio) code generation path\n3. Serve the malicious ZIP from a controlled or MITM\u0027d Apicurio registry endpoint\n4. Trigger code generation\n5. Observe that `proof.txt` is written two directories above the intended output\n\n\n### Impact\nAn attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.",
"id": "GHSA-jx2w-vp7f-456q",
"modified": "2026-04-10T21:36:53Z",
"published": "2026-04-08T19:14:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40180"
},
{
"type": "WEB",
"url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0"
},
{
"type": "WEB",
"url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239"
},
{
"type": "PACKAGE",
"url": "https://github.com/quarkiverse/quarkus-openapi-generator"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.