GMS-2021-18: Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina

September 21, 2021 (updated January 25, 2023)

Impact

Anyone who is using the default presets and/or does not handle the functionality themself.

Patches

It has not been patched yet.

Workarounds

Fully custom presets that change the entire rendering process which can then escape the user input.

For more information

Even though that I changed all the presets here, the vulnerability is still present throughout.

References

github.com/advisories/GHSA-4jg2-84c2-pj95
github.com/asyncapi/modelina/security/advisories/GHSA-4jg2-84c2-pj95

Code Behaviors & Features

Detect and mitigate GMS-2021-18 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →