Skip to main content

oasdiff CVE-2026-53508

MEDIUM
External Control of File Name or Path (CWE-73)
2026-07-07 https://github.com/oasdiff/oasdiff GHSA-2jcc-mxv7-p3f9
Share

Severity by source

vuln.today AI
8.6 HIGH

Network-reachable via untrusted spec content; no privileges required to craft payload; scope changes because SSRF can compromise systems beyond the oasdiff process; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 00:32 vuln.today

DescriptionCVE.org

Summary

From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false (library: openapi3.Loader.IsExternalRefsAllowed = false) when loading a spec from a git revision (the rev:path form, e.g. main:openapi.yaml). External $refs were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there.

Impact

A caller who set --allow-external-refs=false *specifically to safely process untrusted specs* remained exposed - on the git-revision load path only - to:

  • SSRF via $ref: "http://<internal-host>/…", and
  • Local file reads via $ref: "/path" or file://.

Affected callers:

  • CLI: oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false (and breaking / changelog / summary, and the git-diff-driver) run over untrusted spec content.
  • Go library consumers of github.com/oasdiff/oasdiff/load that set IsExternalRefsAllowed = false and load from a git-revision source via load.NewSpecInfo.

The file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (true) are not in scope for *this* advisory.

Patches

v1.18.1 enforces the external-refs policy on the git-revision path (so --allow-external-refs=false now blocks external $refs there) and returns a dedicated exit code (123) when an external $ref is refused.

Workarounds

  • Upgrade to v1.18.1, or
  • Avoid the git-revision input form when processing untrusted specs with external refs disabled.

Notes

  • Introduced in v1.13.2 (#832, which added $ref-chain resolution on the git-revision path); fixed in v1.18.1 (#974, #975).
  • The permissive default (allow-external-refs: true) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).

AnalysisAI

Security-control bypass in oasdiff v1.13.2-v1.18.0 silently negates the --allow-external-refs=false safety flag when loading OpenAPI specifications via the git-revision input form (rev:path, e.g. main:openapi.yaml), leaving callers exposed to SSRF and local file disclosure despite explicitly intending to sandbox untrusted spec processing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft OpenAPI spec with malicious $refs
Delivery
Submit spec to target git repository
Exploit
CI/CD invokes oasdiff via git-revision input form
Execution
External ref policy bypass silently resolves $refs
Persist
SSRF reaches internal host or local file is read
Impact
Attacker exfiltrates credentials or sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions on the victim side: (1) the caller must explicitly set `--allow-external-refs=false` at the CLI or `IsExternalRefsAllowed = false` in the Go library - callers using the permissive default (`true`) are explicitly out of scope for this advisory; (2) the caller must load at least one spec using the git-revision input form, e.g., `main:openapi.yaml` or `HEAD:openapi.yaml`; and (3) the spec content being processed must include at least one external `$ref` URI - an HTTP/HTTPS URL for SSRF, or a bare filesystem path or `file://` URI for local file reads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score is provided in the available data, limiting quantitative risk comparison; all metric assessments below are independently derived from the vulnerability description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a pull request to a repository where CI/CD runs `oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false`, embedding `$ref: 'http://169.254.169.254/latest/meta-data/iam/security-credentials/'` inside the submitted spec. Despite the flag, oasdiff resolves the reference on the git-revision load path, triggering an outbound HTTP request from the CI runner to the AWS instance metadata service. …
Remediation Upgrade to oasdiff v1.18.1, which enforces the `--allow-external-refs=false` policy on the git-revision loading path and returns a dedicated exit code (123) when an external `$ref` is refused; the fix is implemented in PRs #974 and #975 (https://github.com/oasdiff/oasdiff/pull/974, https://github.com/oasdiff/oasdiff/pull/975). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy