An unpatched remote code execution hole has been publicly disclosed in the popular Swagger API framework, putting users at risk.

The client and server hole (CVE-2016-5641) exists in code generators within the REST programming tool, also know as the OpenAPI Specification.

A module for the popular Metasploit hacking suite has been crafted making exploitation of the flaw easier.

Application security researcher Scott Davis says an injectable parameters in Swagger JSON or YAML files allow remote code execution across NodeJS, PHP, Ruby, and Java.

"By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service," Davis says.

"This is considered an abuse of trust in definition of service, and could be an interesting space for further research."

Swagger maintainers have been quiet, despite the disclosure made last month through US CERT, which was coupled with a patch proffered by Rapid 7.

Other code generation tools may be open to parameter injection, Davis warns.

The Swagger generators are a "powerful" means for organisations to offer developers easy access to their APIs, but many fail to account for malicious Swagger definition documents.

These documents would lead to classic parameter injection.

Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. This is achieved by the fact that some parsers/generators trust insufficiently sanitized parameters within a Swagger document to generate a client code base. On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client.

On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mocks and testing specs.

Users can do little but "carefully inspect Swagger documents" for language-specific escape sequences, until the affected code generators are patched by maintainers. ®