Plataforma
nodejs
Componente
@orpc/openapi
Corrigido em
1.13.10
1.13.9
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the OpenAPI documentation generation functionality of the @orpc/openapi library. This vulnerability allows attackers to inject malicious JavaScript code into the generated API documentation by manipulating fields within the OpenAPI specification, such as the info.description field. Affected versions are those prior to 1.13.9. A fix is available in version 1.13.9.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser when they view the generated API documentation. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the API documentation. The attacker's ability to control the JavaScript payload provides significant flexibility in the attack, enabling them to target specific user actions or data. The impact is amplified if the API documentation is publicly accessible or widely distributed.
This vulnerability was publicly disclosed on 2026-03-20. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, it is recommended to prioritize remediation.
Development teams using @orpc/openapi to generate API documentation are at risk. This includes organizations that rely on automated documentation generation tools and those with publicly accessible API documentation. Projects using older versions of @orpc/openapi, particularly those with limited security testing or input validation, are especially vulnerable.
• nodejs: Inspect the package.json file for @orpc/openapi versions prior to 1.13.9. Use npm list @orpc/openapi to confirm the installed version.
• generic web: Monitor API documentation endpoints for unusual JavaScript execution. Examine access logs for requests containing suspicious characters or payloads in the info.description parameter.
• generic web: Use curl to test the API documentation endpoint with a simple XSS payload in the info.description parameter: curl 'YOURAPIENDPOINT?info.description=<script>alert(1)</script>' and check the response for the alert.
disclosure
Status do Exploit
EPSS
0.01% (percentil 2%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-33331 is to upgrade to version 1.13.9 or later of the @orpc/openapi library. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any user-controlled data used within the OpenAPI specification. Specifically, carefully scrutinize the info.description field and other potentially vulnerable fields. While not a direct fix, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the API documentation endpoint could provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the info.description field and confirming that it is not executed when viewing the generated documentation.
Actualice oRPC a la versión 1.13.9 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en la generación de documentación OpenAPI. La actualización evitará que un atacante controle campos dentro de la especificación OpenAPI y ejecute JavaScript arbitrario cuando un usuario vea la documentación generada.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-33331 is a Stored Cross-Site Scripting (XSS) vulnerability in the OpenAPI documentation generation of @orpc/openapi, allowing attackers to inject JavaScript via the OpenAPI specification.
You are affected if you are using @orpc/openapi versions prior to 1.13.9 and are vulnerable to XSS attacks through the API documentation.
Upgrade to version 1.13.9 or later of @orpc/openapi. Implement input validation on user-controlled data within the OpenAPI specification.
No active exploitation has been confirmed at this time, but the vulnerability is considered high severity and should be addressed promptly.
Refer to the @orpc/openapi project's repository or website for the official advisory and release notes related to this vulnerability.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.