Zip Slip path traversal fixed in Quarkus OpenAPI Generator
TL;DR — A Zip Slip path traversal in quarkus-openapi-generator can let a crafted ZIP write files outside the intended codegen output directory, creating a CI/build supply-chain foothold.
What happened
Quarkus OpenAPI Generator is a Quarkus extension (io.quarkiverse.openapi.generator:quarkus-openapi-generator) used to generate REST clients and server stubs from OpenAPI, including flows that unpack ZIP artifacts during code generation.
CVE-2026-40180 describes a path traversal (Zip Slip) issue in ApicurioCodegenWrapper.java where the unzip() logic writes ZIP entries to disk without validating that the resolved destination path stays within the intended output directory. A malicious ZIP containing traversal sequences (e.g., ../../...) can therefore cause writes outside the target folder.
| Item | Source value |
|---|---|
| Affected software | io.quarkiverse.openapi.generator:quarkus-openapi-generator |
| Impact | Arbitrary file write outside intended output directory (Zip Slip) |
| Severity | CVSS v4.0 7.7 (High) |
| Weakness | CWE-22 (Path Traversal) |
This is an appsec-relevant build pipeline risk: “write outside output directory” bugs frequently become source/code injection opportunities in CI/CD and code generation workflows, where generated artifacts are compiled, packaged, and deployed automatically.
Who is impacted
- Projects using
quarkus-openapi-generatorversions marked affected in the CVE record. - Higher-risk environments where code generation runs in CI/CD and ZIP inputs can be influenced (directly or indirectly) by an attacker (e.g., dependency/artifact source compromise or interception upstream).
| Track | Affected versions (CVE record) | Fixed versions (CVE record) |
|---|---|---|
| LTS line | < 2.15.0-lts | 2.15.0-lts |
| Main line | < 2.16.0 | 2.16.0 |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"This vulnerability is fixed in 2.16.0 and 2.15.0-lts."
- Inventory where
io.quarkiverse.openapi.generator:quarkus-openapi-generatoris used (repos, build images, and CI templates), and identify pipelines that unpack/consume ZIP inputs during code generation. - Treat this as a build-integrity issue:
- Review whether the codegen job has write access beyond its workspace and reduce privileges where feasible.
- Validate whether any generated outputs are automatically committed, published, or deployed, and add integrity checks/gates appropriate to your supply-chain model.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.