Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions
7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.
Published: 2026-01-22
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

Orval produces type‑safe TS clients from OpenAPI specs. In vulnerable versions the const keyword on schema properties is interpolated directly into mock files without proper escaping, allowing a malicious OpenAPI to inject arbitrary TypeScript or JavaScript. The injected code ends up in the generated interfaces and MSW handlers; when these mocks are imported or executed, the attacker’s code runs. The likely attack vector is an attacker supplying a crafted OpenAPI file during the build or CI process, which is not explicitly stated in the CVE but inferred from the description.

Affected Systems

The vulnerability affects the Orval library from orval‑labs. Versions 7.19.0 and all earlier releases, as well as 8.0.0‑rc.0 through 8.0.2, are impacted. The issue is resolved in 7.20.0 and later, and in 8.0.3 and later. No other vendors or versions are affected.

Risk and Exploitability

CVSS score 7.7 indicates a high severity. The EPSS score is less than 1 %, signalling a low expected exploitation frequency. It is not listed in CISA’s KEV catalog. Exploitation requires a build‑time or CI system that processes untrusted OpenAPI documents. If an attacker can control the spec fed to Orval, the injected code is generated and will run in any runtime that imports the mock modules. Because the flaw manifests during code generation, it must be mitigated at development or build time rather than at application runtime.

Generated by OpenCVE AI on April 18, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Orval to version 7.20.0 or newer, or to version 8.0.3 or newer, to apply the vendor patch.
  • If an upgrade is not immediately possible, restrict Orval to trusted, internally vetted OpenAPI specifications and prevent the tool from consuming arbitrary external documents.
  • Verify that the mock generation pipeline does not process untrusted specifications at runtime and manually review any generated code for unexpected const values before deployment.

Generated by OpenCVE AI on April 18, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f456-rf33-4626 Orval Mock Generation Code Injection via const
History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Orval
Orval orval
Weaknesses CWE-94
CPEs cpe:2.3:a:orval:orval:*:*:*:*:*:*:*:*
Vendors & Products Orval
Orval orval
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Orval-labs
Orval-labs orval
Vendors & Products Orval-labs
Orval-labs orval

Fri, 23 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
Description Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.
Title Orval Mock Generation Code Injection via const
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Orval Orval
Orval-labs Orval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-23T20:01:12.356Z

Reserved: 2026-01-21T18:38:22.474Z

Link: CVE-2026-24132

cve-icon Vulnrichment

Updated: 2026-01-23T20:01:01.841Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T00:15:52.403

Modified: 2026-02-27T19:00:40.547

Link: CVE-2026-24132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses