Latest

datamodel-code-generator, a Python code generator pulling roughly 14.5 million downloads a month on PyPI, shipped twelve CVEs: code injection and code execution on import, SSRF, and arbitrary local file read. Seven came from reading the source. Five more came from bypassing the fixes. Here is how an attacker-controlled schema turns a model generator into remote code execution, and why patching a sink is not the same as patching a class.

swagger-typescript-api, one of npm's most-used OpenAPI-to-TypeScript client generators (~600K downloads/week), shipped four RCE CVEs, an SSRF, and an authorization-token exfiltration. Here's how a single attacker-controlled OpenAPI spec turns a code generator into remote code execution.