Swagger staggered as hacker drops dapper code execution cracker
An unpatched remote code execution hole has been publicly disclosed in the popular Swagger API framework, putting users at risk.
The client and server hole (CVE-2016-5641) exists in code generators within the REST programming tool, also know as the OpenAPI Specification.
A module for the popular Metasploit hacking suite has been crafted making exploitation of the flaw easier. Application security researcher Scott Davis says an injectable parameters in Swagger JSON or YAML files allow remote code execution across NodeJS, PHP, Ruby, and Java.