Overview · acacode/swagger-typescript-api · GitHub

Security

No security policy detected

This project has not set up a SECURITY.md file yet.

Report a vulnerability

Authorization-token exfiltration via spec `$ref`; generator forwards `--authorizationToken` to cross-origin `$ref` URLs without same-origin check, allowing a malicious spec to steal the developer's bearer token
GHSA-h754-fxp7-88wx published Jun 8, 2026 by js2me

High
Server-Side Request Forgery via spec `$ref`; generator makes attacker-directed HTTP requests during code generation when run against an attacker-controlled OpenAPI spec
GHSA-x36r-4347-pm5x published Jun 8, 2026 by js2me

Moderate
Code injection via unescaped `servers[0].url` in axios http-client template; per-instance RCE on `new HttpClient()` when run against an attacker-controlled OpenAPI spec
GHSA-38c3-wv3c-v3xj published Jun 8, 2026 by js2me

High
Code injection via unescaped OpenAPI path strings in generated method bodies; per-method-call RCE
GHSA-w284-33mx-6g9v published Jun 8, 2026 by js2me

High
Code injection via unescaped enum string values; module-load RCE in generated client when run against an attacker-controlled OpenAPI spec
GHSA-5f94-x226-ccpm published Jun 8, 2026 by js2me

High
Code injection via unescaped `servers[0].url` in fetch http-client template; module-load RCE when run against an attacker-controlled OpenAPI spec
GHSA-hqj5-cw9f-rx67 published Jun 8, 2026 by js2me

High

Learn more about advisories related to acacode/swagger-typescript-api in the GitHub Advisory Database