CVE-2026-40180

Summary

A path traversal vulnerability was discovered in the quarkus-openapi-generator extension

Details

The unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory.

The interesting thing is that the client module in the same repository already has the correct fix. OpenApiGeneratorStreamCodeGen.java at line 137 performs proper normalize() and startsWith() validation. The server module was simply missed.

PoC

This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.

1. Create a ZIP file containing an entry named ../../proof.txt with arbitrary content
2. Configure quarkus-openapi-generator to use the server (Apicurio) code generation path
3. Serve the malicious ZIP from a controlled or MITM'd Apicurio registry endpoint
4. Trigger code generation
5. Observe that proof.txt is written two directories above the intended output

​

Impact

An attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.