The OFA outlines this issue. What they are saying is that because the Swagger is a JSON document, if you use a code generator that simply regurgitates its values without validation, you could end up with code executing in the context of whatever is consuming the API. The issue is with code generators, and not the swagger documentation .
An example they give as an attack on HTML is the following (with angle brackets instead of square ones, obviously):
I guess the idea is that you have used Swagger code generator to create code to call the RESTful APIs you are interested in. The code generator includes this description (which seems kind of odd) in the generated code, giving you an alert when a page including this code is loaded. They also give an example of attacking the "paths" property (which includes information on what URLs can be used to call specific APIs) which would execute code on the back end. I could see this being more a legitimate problem.
A few things though before we all freak out:
- If you are calling APIs from a party you don't know and trust, you are doing it wrong,
- If you are calling APIs without reviewing them and their documentation, you are doing it wrong. If you are looking at a Swagger document and somebody put in an PHP or Ruby injection attack, it will stick out like a sore thumb.
- For vulnerability to be exploited that party you trust with your data will have to insert malicious definitions into their Swagger file, and include enough definitions to attack all of the platforms that code will be generated for.
- Because Swagger is now an open specification (Open API), the code generators in question can be updated pretty easily,
Titles like ZDNet's "Severe Swagger vulnerability compromises NodeJS, PHP, Java" are gratuitous hyperbole. Slashdot's title is a little better because it at least refines the panic to "tools", but still not great. There is an issue here, but the internet is not going to go down in flames over this one.