CVE-2026-24132
Unknown Unknown - Not Provided
Code Injection via Unescaped Const in Orval Mock Generator

Publication date: 2026-01-23

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24132
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
orval orval From 8.0.0 (inc) to 8.0.3 (exc)
orval orval From 6.0.0 (inc) to 7.20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24132 is a code injection vulnerability in the Orval tool, which generates type-safe JavaScript/TypeScript clients from OpenAPI or Swagger specifications. The issue occurs because untrusted OpenAPI specifications can include malicious constant values (using the 'const' keyword in schema properties) that are directly interpolated into the mock data generation code without proper escaping or serialization. This allows attackers to inject arbitrary JavaScript or TypeScript code into generated mock files, potentially leading to execution of malicious payloads when mocks are generated. The vulnerability affects versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 and has been fixed in versions 7.20.0 and 8.0.3. [5]

Impact Analysis

This vulnerability can lead to arbitrary code execution during the mock generation process in Orval. If an attacker provides a malicious OpenAPI specification with crafted 'const' values, they can inject and execute harmful JavaScript/TypeScript code within the generated mock files. This can compromise the security of the development or testing environment where Orval is used, potentially allowing unauthorized actions or data exposure. Since the vulnerability allows remote exploitation without privileges or user interaction, it poses a significant risk if untrusted specifications are processed. [5]

Detection Guidance

This vulnerability can be detected by examining the versions of the Orval package in use, specifically checking if the version is 7.19.0 or below, or between 8.0.0-rc.0 and 8.0.2, which are vulnerable. Additionally, reviewing generated mock files for injected arbitrary TypeScript/JavaScript code via the const keyword in schema properties can indicate exploitation. Since the vulnerability involves code injection in generated mock files, inspecting these files for unexpected or suspicious code snippets, such as calls to system commands (e.g., require('child_process').execSync('id')), can help detect the issue. There are no specific network commands provided in the resources, but checking package versions can be done with commands like `npm list orval` or `yarn list orval` to identify vulnerable versions. [5]

Mitigation Strategies

The immediate mitigation step is to upgrade the Orval package to a fixed version that addresses CVE-2026-24132. Specifically, upgrade to version 7.20.0 or later, or 8.0.3 or later, where the vulnerability has been fixed by properly escaping mocked values in the mock generation process. This fix prevents injection of arbitrary code by safely serializing constant values using JSON.stringify instead of unsafe string interpolation. Applying these updates will mitigate the risk of arbitrary code execution through malicious OpenAPI specifications in the mock generation pipeline. [4, 6, 7, 9]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart