Oscerd

Name of the Vulnerable Software and Affected Versions Quarkus OpenAPI Generator versions prior to 2.16.0 and 2.15.0-lts Description The `unzip()` method in `ApicurioCodegenWrapper.java` does not validate that the file path of extracted ZIP entries remains within the intended output directory. The destination file path is constructed using `new File(toOutputDir, entry.getName())` without proper validation. A malicious ZIP archive containing path traversal sequences (e.g., `../../malicious.java`) could allow writing files outside the target directory. This could lead to overwriting source files, injecting malicious code, or modifying configuration files, potentially resulting in a supply chain compromise. Recommendations Update to version 2.16.0 or 2.15.0-lts.