Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
Published: 2026-01-30
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript code execution via code injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an attacker to inject arbitrary JavaScript into the code generated by Orval. By supplying specially crafted values in the x‑enum‑descriptions field of an OpenAPI specification, the unsanitized string builder can be made to produce a JSFuck expression that bypasses the existing escape logic. The resulting injected code is then executed in the context where the generated client is used, potentially yielding full control of the application running the client. The flaw is a classic code‑injection weakness (CWE‑94) and can compromise confidentiality, integrity, and availability if the generated code is deployed in a trusted environment.

Affected Systems

The affected product is Orval from orval-labs. Versions 7.19.0 through 7.20.x and 8.0.0 through 8.1.x are vulnerable, as these released before the comprehensive fix that appears in 7.21.0 and 8.2.0. All earlier or later releases are not impacted unless they contain the same escape logic.

Risk and Exploitability

The CVSS v3.1 base score of 9.3 indicates high severity, while the EPSS score of less than 1% shows a very low likelihood that the flaw is being exploited in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can supply or influence a malformed OpenAPI specification that is processed by Orval, such as a compromised CI pipeline or malicious code generator. Once the vulnerable code is generated, arbitrary JavaScript can run in the browser or Node.js environment where the client is loaded.

Generated by OpenCVE AI on April 18, 2026 at 01:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Orval to version 7.21.0 or later, or to 8.2.0 or later, which contain the complete fix for this injection issue.
  • If an upgrade is not immediately possible, locate the jsStringEscape function in the codebase and apply the patch that properly escapes all special characters used in JSFuck expressions.
  • Validate or sanitize all x‑enum‑descriptions values in incoming OpenAPI specifications to ensure they do not contain characters that can form a malicious JavaScript expression.

Generated by OpenCVE AI on April 18, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gch2-phqh-fg9q Orval has Code Injection via unsanitized x-enum-descriptions using JS comments
History

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Orval
Orval orval
CPEs cpe:2.3:a:orval:orval:*:*:*:*:*:*:*:*
Vendors & Products Orval
Orval orval
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Orval-labs
Orval-labs orval
Vendors & Products Orval-labs
Orval-labs orval

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
Title Orval has a code injection via unsanitized x-enum-descriptions uing JS comments
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Orval Orval
Orval-labs Orval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T18:00:17.681Z

Reserved: 2026-01-29T15:39:11.820Z

Link: CVE-2026-25141

cve-icon Vulnrichment

Updated: 2026-02-02T18:00:12.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T21:15:58.603

Modified: 2026-02-27T18:21:56.603

Link: CVE-2026-25141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses