CVE-2026-24132
Code Injection via Unescaped Const in Orval Mock Generator
Publication date: 2026-01-23
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orval | orval | From 8.0.0 (inc) to 8.0.3 (exc) |
| orval | orval | From 6.0.0 (inc) to 7.20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24132 is a code injection vulnerability in the Orval tool, which generates type-safe JavaScript/TypeScript clients from OpenAPI or Swagger specifications. The issue occurs because untrusted OpenAPI specifications can include malicious constant values (using the 'const' keyword in schema properties) that are directly interpolated into the mock data generation code without proper escaping or serialization. This allows attackers to inject arbitrary JavaScript or TypeScript code into generated mock files, potentially leading to execution of malicious payloads when mocks are generated. The vulnerability affects versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 and has been fixed in versions 7.20.0 and 8.0.3. [5]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution during the mock generation process in Orval. If an attacker provides a malicious OpenAPI specification with crafted 'const' values, they can inject and execute harmful JavaScript/TypeScript code within the generated mock files. This can compromise the security of the development or testing environment where Orval is used, potentially allowing unauthorized actions or data exposure. Since the vulnerability allows remote exploitation without privileges or user interaction, it poses a significant risk if untrusted specifications are processed. [5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining the versions of the Orval package in use, specifically checking if the version is 7.19.0 or below, or between 8.0.0-rc.0 and 8.0.2, which are vulnerable. Additionally, reviewing generated mock files for injected arbitrary TypeScript/JavaScript code via the const keyword in schema properties can indicate exploitation. Since the vulnerability involves code injection in generated mock files, inspecting these files for unexpected or suspicious code snippets, such as calls to system commands (e.g., require('child_process').execSync('id')), can help detect the issue. There are no specific network commands provided in the resources, but checking package versions can be done with commands like `npm list orval` or `yarn list orval` to identify vulnerable versions. [5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Orval package to a fixed version that addresses CVE-2026-24132. Specifically, upgrade to version 7.20.0 or later, or 8.0.3 or later, where the vulnerability has been fixed by properly escaping mocked values in the mock generation process. This fix prevents injection of arbitrary code by safely serializing constant values using JSON.stringify instead of unsafe string interpolation. Applying these updates will mitigate the risk of arbitrary code execution through malicious OpenAPI specifications in the mock generation pipeline. [4, 6, 7, 9]