GHSA-2jcc-mxv7-p3f9: oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
Summary
From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false (library: openapi3.Loader.IsExternalRefsAllowed = false) when loading a spec from a git revision (the rev:path form, e.g. main:openapi.yaml). External $refs were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there.
Impact
A caller who set --allow-external-refs=false *specifically to safely process untrusted specs* remained exposed — on the git-revision load path only — to:
- SSRF via $ref: "http://<internal-host>/…", and
- Local file reads via $ref: "/path" or file://.
Affected callers:
- CLI: oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false (and breaking / changelog / summary, and the git-diff-driver) run over untrusted spec content.
- Go library consumers of github.com/oasdiff/oasdiff/load that set IsExternalRefsAllowed = false and load from a git-revision source via load.NewSpecInfo.
The file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (true) are not in scope for *this* advisory.
Patches
v1.18.1 enforces the external-refs policy on the git-revision path (so --allow-external-refs=false now blocks external $refs there) and returns a dedicated exit code (123) when an external $ref is refused.
Workarounds
- Upgrade to v1.18.1, or
- Avoid the git-revision input form when processing untrusted specs with external refs disabled.
Notes
- Introduced in v1.13.2 (#832, which added $ref-chain resolution on the git-revision path); fixed in v1.18.1 (#974, #975).
- The permissive default (allow-external-refs: true) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).
Details
Original advisory: https://github.com/advisories/GHSA-2jcc-mxv7-p3f9
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53508 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10