GHSA-2JCC-MXV7-P3F9

Vulnerability from github – Published: 2026-07-07 23:45 – Updated: 2026-07-07 23:45
VLAI
Summary
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
Details

Summary

From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false (library: openapi3.Loader.IsExternalRefsAllowed = false) when loading a spec from a git revision (the rev:path form, e.g. main:openapi.yaml). External $refs were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there.

Impact

A caller who set --allow-external-refs=false specifically to safely process untrusted specs remained exposed — on the git-revision load path only — to:

  • SSRF via $ref: "http://<internal-host>/…", and
  • Local file reads via $ref: "/path" or file://.

Affected callers:

  • CLI: oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false (and breaking / changelog / summary, and the git-diff-driver) run over untrusted spec content.
  • Go library consumers of github.com/oasdiff/oasdiff/load that set IsExternalRefsAllowed = false and load from a git-revision source via load.NewSpecInfo.

The file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (true) are not in scope for this advisory.

Patches

v1.18.1 enforces the external-refs policy on the git-revision path (so --allow-external-refs=false now blocks external $refs there) and returns a dedicated exit code (123) when an external $ref is refused.

Workarounds

  • Upgrade to v1.18.1, or
  • Avoid the git-revision input form when processing untrusted specs with external refs disabled.

Notes

  • Introduced in v1.13.2 (#832, which added $ref-chain resolution on the git-revision path); fixed in v1.18.1 (#974, #975).
  • The permissive default (allow-external-refs: true) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.18.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/oasdiff/oasdiff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.2"
            },
            {
              "fixed": "1.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693",
      "CWE-73",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T23:45:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nFrom **v1.13.2** through **v1.18.0**, oasdiff did not enforce `--allow-external-refs=false` (library: `openapi3.Loader.IsExternalRefsAllowed = false`) when loading a spec from a **git revision** (the `rev:path` form, e.g. `main:openapi.yaml`). External `$ref`s were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there.\n\n## Impact\n\nA caller who set `--allow-external-refs=false` *specifically to safely process untrusted specs* remained exposed \u2014 on the git-revision load path only \u2014 to:\n\n- **SSRF** via `$ref: \"http://\u003cinternal-host\u003e/\u2026\"`, and\n- **Local file reads** via `$ref: \"/path\"` or `file://`.\n\nAffected callers:\n\n- **CLI:** `oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false` (and `breaking` / `changelog` / `summary`, and the `git-diff-driver`) run over untrusted spec content.\n- **Go library consumers** of `github.com/oasdiff/oasdiff/load` that set `IsExternalRefsAllowed = false` and load from a git-revision source via `load.NewSpecInfo`.\n\nThe file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (`true`) are not in scope for *this* advisory.\n\n## Patches\n\n**v1.18.1** enforces the external-refs policy on the git-revision path (so `--allow-external-refs=false` now blocks external `$ref`s there) and returns a dedicated exit code (`123`) when an external `$ref` is refused.\n\n## Workarounds\n\n- Upgrade to **v1.18.1**, or\n- Avoid the git-revision input form when processing untrusted specs with external refs disabled.\n\n## Notes\n\n- Introduced in **v1.13.2** (#832, which added `$ref`-chain resolution on the git-revision path); fixed in **v1.18.1** (#974, #975).\n- The permissive **default** (`allow-external-refs: true`) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).",
  "id": "GHSA-2jcc-mxv7-p3f9",
  "modified": "2026-07-07T23:45:05Z",
  "published": "2026-07-07T23:45:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oasdiff/oasdiff/security/advisories/GHSA-2jcc-mxv7-p3f9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oasdiff/oasdiff/pull/832"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oasdiff/oasdiff/pull/974"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oasdiff/oasdiff/pull/975"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oasdiff/oasdiff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…