Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious spec is network-fetched (AV:N) with low complexity and no auth (PR:N), but a developer must run generation and build (UI:R); full code execution yields C/I/A:H, scope kept unchanged to match vendor SC:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C
XML documentation-comment sink (the description, externalDocs label, and externalDocs link fields emitted as /// … comments). When text from an OpenAPI description is written into single-line XML doc comments without stripping newline and Unicode line-terminator characters, an attacker can break out of the /// comment line and inject additional code into generated C
clients. This issue is fixed in version 1.32.3.
AnalysisAI
{}//') demonstrating the break-out.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the victim to run Kiota (< 1.32.3) generation targeting the C# language against an OpenAPI description the attacker can influence, and the crafted 'description', externalDocs label, or externalDocs link field must contain a C# line-terminator character (\r, \n, \r\n, U+0085, U+2028, or U+2029) followed by the injected C# code. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H, score 8.7) rates this High: network-reachable, low complexity, no privileges, but requiring passive user interaction, with high confidentiality/integrity/availability impact and no subsequent-system scope change (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes or tampers with an OpenAPI specification, placing a crafted payload such as a description ending with a line terminator followed by 'class KiotaPwn{}//' into a description or externalDocs field. A developer runs Kiota (version < 1.32.3) to generate a C# client from that spec, and the payload breaks out of the /// documentation comment into namespace-level source, so the attacker's C# compiles and executes when the client is built. … |
| Remediation | Vendor-released patch: 1.32.3 - upgrade the Kiota CLI, the Kiota.Builder library, and any Kiota-based build/CI tooling to 1.32.3 or later (release: https://github.com/microsoft/kiota/releases/tag/v1.32.3; fix in PR https://github.com/microsoft/kiota/pull/7831 and commit ebb632db90aa8e3c20949337d9faa2720d64ca44). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running the affected product and assess exposure in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Path traversal and code injection in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description write
Path traversal in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description inject unvalidated `stat
Command injection in Microsoft Kiota before 1.32.5 lets a malicious or compromised OpenAPI description dictate the insta
{...}, $var, or {$obj->prop} are emitted verbatim inside PHP double-quoted literals and interpolated as code when the ge
Code injection in Microsoft Kiota's Python client generator (versions prior to 1.32.0) allows an attacker who controls a
{expr}, #$var, or #@var markers are treated as live Ruby interpolation inside generated model classes. There is no publi
Code injection in Microsoft Kiota versions prior to 1.31.1 allows attackers who control or tamper with OpenAPI descripti
Build-time SSRF, remote file inclusion, and local file inclusion in Microsoft Kiota before 1.32.5 lets an attacker-contr
Arbitrary file write via path traversal in Microsoft Kiota (OpenAPI HTTP client/plugin code generator) before 1.32.5 all
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44931