EUVD-2025-198644

Malicious code in @asyncapi/specs npm...

MAL-2025-190643 Malicious code in @asyncapi/specs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46e1904e729f9b51f22f0c24624af6ce0bfa9e7a02a0968c15469cd5ba665c2f The package @asyncapi/specs was found to contain malicious code. Source: ghsa-malware 5715faf8c80acf7c963aac8c332a2cffed06a23ca9663a2fdcb6fd11be4325e...

EUVD-2021-1933

Malware in sbrugna...

CVE-2021-37694

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...

CVE-2023-23619 Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina

Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue...

@asyncapi/cli (>=0.21.0 <=0.27.3), @asyncapi/dotnet-nats-template (>=0.2.0 <=0.8.4) +9 more potentially affected by CVE-2023-23619 via @asyncapi/modelina (>=0.11.0 <=0.9.0)

@asyncapi/modelina NPM version =0.11.0, =0.21.0, =0.2.0, =0.1.8, =0.3.33, =0.4.0, =0.0.1, =0.0.1, =0.1.0, =0.1.7 Source cves: CVE-2023-23619 Source advisory: OSV:GHSA-4JG2-84C2-PJ95...

GHSA-4JG2-84C2-PJ95 Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina

Impact Anyone who is using the default presets and/or does not handle the functionality themself. Patches It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not...

Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina

Impact Anyone who is using the default presets and/or does not handle the functionality themself. Patches It has not been patched yet. Workarounds Fully custom presets that change the entire rendering process which can then escape the user input. For more information Even though that I changed al...

Code injection issue for java-spring-cloud-stream-template

The following was initially reported by @jonaslagoni: Given the following command: ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output With the following AsyncAPI document: json "asyncapi": "2.0.0", "info": "title": "Streetlight", "version": "1.0.0" ,...

Improper Control of Generation of Code ('Code Injection')

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to upda...

CVE-2021-37694

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...

Code injection

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...

CVE-2021-37694 Code injection issue for java-spring-cloud-stream-template

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...

CVE-2021-37694

Summary (CVE-2021-37694): The issue affects the @asyncapi/java-spring-cloud-stream-template that generates a Spring Cloud Stream microservice. In versions before 0.7.0, an attacker who controls the AsyncAPI document could trigger arbitrary code injection during generation. The root cause is tied ...

Java Spring Cloud Stream template 代码注入漏洞

The Java Spring Cloud Stream template is a template for the AsyncAPI generator. A code injection vulnerability exists in Java Spring Cloud Stream template prior to version 0.7.0 for generating SpringCloudStream SCSt microservices, which can be exploited by an attacker to take control of an AsyncA...