CVE-2026-25141
Unknown Unknown - Not Provided

JavaScript Injection in Orval Clients via Incomplete Sanitization

Vulnerability report for CVE-2026-25141, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-30

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description

Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-30
Last Modified
2026-02-27
Generated
2026-07-06
AI Q&A
2026-01-30
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
orval orval From 7.19.0 (inc) to 7.21.0 (exc)
orval orval From 8.0.0 (inc) to 8.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-25141 is a critical code injection vulnerability in the orval-labs/orval project affecting versions starting from 7.19.0 up to but not including 7.21.0 and 8.2.0. The vulnerability arises because the JavaScript string escaping function (jsStringEscape) does not properly escape certain characters, specifically the asterisk (*) and forward slash (/), which can be used to prematurely terminate JavaScript comment blocks. This allows an attacker to inject arbitrary JavaScript code by crafting malicious OpenAPI specifications that include these characters in the x-enum-descriptions field. The attack can be performed remotely without any privileges or user interaction, potentially leading to remote code execution. [4]

Impact Analysis

This vulnerability can lead to remote code execution on systems using vulnerable versions of orval. An attacker can inject arbitrary JavaScript code into generated client files by exploiting improper sanitization of certain characters in OpenAPI specifications. This can result in full compromise of the affected system, including unauthorized execution of system commands, data breaches, or other malicious activities without requiring any authentication or user interaction. [4]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the orval package to version 7.21.0 or later, preferably to version 8.2.0, where the vulnerability is fully fixed by enhancing the jsStringEscape function to properly escape JavaScript comment delimiters such as /* and */. This prevents code injection via unescaped comment sequences. Avoid using vulnerable versions (7.19.0 up to but not including 7.21.0 and 8.2.0). [1, 2, 4]

Detection Guidance

To detect this vulnerability on your system, you should check the version of the orval package installed. Versions starting from 7.19.0 up to but not including 7.21.0, and version 8.2.0 prior to the fix, are vulnerable. You can detect vulnerable versions by running commands like `npm list @orval/core` or `npm list orval` to see the installed versions. Additionally, scanning your OpenAPI specifications for the presence of malicious `x-enum-descriptions` fields containing JavaScript comment terminators like `*/` followed by suspicious code could indicate exploitation attempts. There are no specific network detection commands provided in the resources. [2, 4]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25141. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart