API Specification Code Generation Vulnerability in Hey API
CVE-2026-48819
4.8MEDIUM
What is CVE-2026-48819?
A code generation vulnerability in Hey API allows attackers to exploit runtime templates in generated SDKs prior to version 0.97.3. This flaw enables the injection of attacker-controlled parameters, which can corrupt the intended data structure. By introducing slot-prefixed keys like $query__proto__, attackers can manipulate the API's functionality through prototype pollution, potentially leading to security breaches during the handling of API requests. The issue has been addressed in version 0.97.3.
Affected Version(s)
openapi-ts < 0.97.3
