CVE-2026-25141
JavaScript Injection in Orval Clients via Incomplete Sanitization
Publication date: 2026-01-30
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orval | orval | From 7.19.0 (inc) to 7.21.0 (exc) |
| orval | orval | From 8.0.0 (inc) to 8.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25141 is a critical code injection vulnerability in the orval-labs/orval project affecting versions starting from 7.19.0 up to but not including 7.21.0 and 8.2.0. The vulnerability arises because the JavaScript string escaping function (jsStringEscape) does not properly escape certain characters, specifically the asterisk (*) and forward slash (/), which can be used to prematurely terminate JavaScript comment blocks. This allows an attacker to inject arbitrary JavaScript code by crafting malicious OpenAPI specifications that include these characters in the x-enum-descriptions field. The attack can be performed remotely without any privileges or user interaction, potentially leading to remote code execution. [4]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on systems using vulnerable versions of orval. An attacker can inject arbitrary JavaScript code into generated client files by exploiting improper sanitization of certain characters in OpenAPI specifications. This can result in full compromise of the affected system, including unauthorized execution of system commands, data breaches, or other malicious activities without requiring any authentication or user interaction. [4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the orval package to version 7.21.0 or later, preferably to version 8.2.0, where the vulnerability is fully fixed by enhancing the jsStringEscape function to properly escape JavaScript comment delimiters such as /* and */. This prevents code injection via unescaped comment sequences. Avoid using vulnerable versions (7.19.0 up to but not including 7.21.0 and 8.2.0). [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you should check the version of the orval package installed. Versions starting from 7.19.0 up to but not including 7.21.0, and version 8.2.0 prior to the fix, are vulnerable. You can detect vulnerable versions by running commands like `npm list @orval/core` or `npm list orval` to see the installed versions. Additionally, scanning your OpenAPI specifications for the presence of malicious `x-enum-descriptions` fields containing JavaScript comment terminators like `*/` followed by suspicious code could indicate exploitation attempts. There are no specific network detection commands provided in the resources. [2, 4]