Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory
Description
swagger-codegen before 2.4.19 has a local privilege escalation vulnerability via insecure creation of temporary files in a shared directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
swagger-codegen before 2.4.19 has a local privilege escalation vulnerability via insecure creation of temporary files in a shared directory.
Vulnerability
Description
In swagger-codegen before version 2.4.19, the getTmpFolder() method on Unix-like systems creates a temporary subdirectory in the system's shared temporary directory using a race-prone sequence: File.createTempFile(), followed by delete() and mkdir(). This allows a collocated attacker to observe the temp file creation and race to create the expected subdirectory with attacker-controlled contents [1][2].
Exploitation
A local user with access to the shared temporary directory can monitor the creation of the temp file and intervene before the mkdir() call. By creating the subdirectory themselves, they can control its contents. When swagger-codegen later writes generated code to this directory, the attacker can influence the output [2].
Impact
Successful exploitation leads to local privilege escalation, as the attacker can inject arbitrary code into the outputFolder. If that code is later executed (e.g., as part of a build or server process), it runs under the context of the victim user, potentially compromising the system [1][2].
Mitigation
The vulnerability is fixed in swagger-codegen version 2.4.19. The fix replaces the vulnerable sequence with Files.createTempDirectory(), which atomically creates a secure temporary directory [2][3]. Users should update to 2.4.19 or later.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.swagger:swagger-codegenMaven | < 2.4.19 | 2.4.19 |
Affected products
2- Range: < 2.4.19
Patches
1987ea7a30b46Merge pull request from GHSA-pc22-3g76-gm6j
1 file changed · +2 −3
modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java+2 −3 modified@@ -15,6 +15,7 @@ import org.slf4j.LoggerFactory; import java.io.File; +import java.nio.file.Files; import java.util.ArrayList; import java.util.LinkedHashMap; import java.util.List; @@ -173,9 +174,7 @@ public static InputOption serverOptions(@SuppressWarnings("unused") String langu protected static File getTmpFolder() { try { - File outputFolder = File.createTempFile("codegen-", "-tmp"); - outputFolder.delete(); - outputFolder.mkdir(); + File outputFolder = Files.createTempDirectory("codegen-").toFile(); outputFolder.deleteOnExit(); return outputFolder; } catch (Exception e) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-pc22-3g76-gm6jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21363ghsaADVISORY
- github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89ghsax_refsource_MISCWEB
- github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.