Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-deliverable document with trivial deterministic payload (AV:N/AC:L/PR:N/UI:N); availability-only process crash gives A:H with C:N/I:N and unchanged scope.
Primary rating from Vendor (https://github.com/microsoft/OpenAPI.NET).
CVSS VectorVendor: https://github.com/microsoft/OpenAPI.NET
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Impact
A small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths.
Affected versions
>= 2.0.0-preview11, <= 2.7.4>= 3.0.0, <= 3.5.3
Patches
- For the 2.X major version, versions 2.7.5 and above are patched.
- For the 3.X major version, versions 3.5.4 and above are patched.
- For the 1.X major version, the issue does not apply since that version of the library *could not* resolve references that pointed to another reference.
Impact
Applications, CLIs, developer tools, or services that parse untrusted OpenAPI documents in-process may be terminated by a crafted OpenAPI document containing circular schema references.
The impact is availability/process termination only. This report does not claim remote code execution, authentication bypass, credential exposure, privilege escalation, data exposure, or Microsoft hosted service impact.
Details
A standalone isolated-process harness confirmed repeatable process termination through public OpenAPI.NET reader APIs. The issue reproduces in the affected released NuGet packages and affects both JSON and YAML reader paths.
A separate Microsoft-owned local consumer, microsoft/kiota, also reproduces the termination through the kiota show --openapi <file> workflow. That workflow parses OpenAPI files in-process using Microsoft.OpenApi and Microsoft.OpenApi.YamlReader.
Example payload
{
"openapi": "3.0.0",
"info": {
"title": "Test",
"version": "0.0.1"
},
"paths": {},
"components": {
"schemas": {
"A": {
"$ref": "#/components/schemas/B"
},
"B": {
"$ref": "#/components/schemas/A"
}
}
}
}Remediation
Users should upgrade to Microsoft.OpenApi 2.7.5 or 3.5.4, depending on the major version line they consume.
Applications that parse OpenAPI documents from untrusted sources should avoid parsing those documents in the primary application process when possible. Running parsing in an isolated process can reduce the blast radius of parser failures.
AnalysisAI
Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable application must parse an attacker-supplied OpenAPI document in-process through the public OpenAPI.NET reader APIs (JSON or YAML reader path) using an affected version (2.0.0-preview11-2.7.4 or 3.0.0-3.5.3). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent in direction but modest in real-world severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a small crafted OpenAPI/Swagger document - for example, schemas A and B that $ref each other - to a service, CLI, or developer tool that parses uploaded OpenAPI specs in-process using Microsoft.OpenApi. Parsing recurses without bound, overflows the stack, and terminates the process, denying service to all users of that instance. … |
| Remediation | Vendor-released patch: upgrade Microsoft.OpenApi to 2.7.5 or later on the 2.x line, or to 3.5.4 or later on the 3.x line, matching whichever major version your project consumes; rebuild and redeploy downstream consumers such as kiota against the patched package. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all .NET applications using Microsoft.OpenApi and identify services that accept external OpenAPI documents; implement immediate upload restrictions where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40365
GHSA-v5pm-xwqc-g5wc