Search criteria
8 vulnerabilities found for orval by orval-labs
CVE-2026-25141 (GCVE-0-2026-25141)
Vulnerability from nvd – Published: 2026-01-30 20:19 – Updated: 2026-01-30 20:19
VLAI?
Title
Orval has a code injection via unsanitized x-enum-descriptions uing JS comments
Summary
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
>= 7.19.0, < 7.21.0
Affected: >= 8.0.0, < 8.2.0 |
{
"containers": {
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.19.0, \u003c 7.21.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes (\u0027), double quotes (\") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T20:19:04.333Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q"
},
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv"
},
{
"name": "https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v7.21.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v7.21.0"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v8.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v8.2.0"
}
],
"source": {
"advisory": "GHSA-gch2-phqh-fg9q",
"discovery": "UNKNOWN"
},
"title": "Orval has a code injection via unsanitized x-enum-descriptions uing JS comments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25141",
"datePublished": "2026-01-30T20:19:04.333Z",
"dateReserved": "2026-01-29T15:39:11.820Z",
"dateUpdated": "2026-01-30T20:19:04.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24132 (GCVE-0-2026-24132)
Vulnerability from nvd – Published: 2026-01-22 23:47 – Updated: 2026-01-23 20:01
VLAI?
Title
Orval Mock Generation Code Injection via const
Summary
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions
7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
< 7.20.0
Affected: >= 8.0.0-rc.0, < 8.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T20:00:52.884919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T20:01:12.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-rc.0, \u003c 8.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions \n7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T23:47:45.846Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626"
},
{
"name": "https://github.com/orval-labs/orval/pull/2828",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/pull/2828"
},
{
"name": "https://github.com/orval-labs/orval/pull/2829",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/pull/2829"
},
{
"name": "https://github.com/orval-labs/orval/pull/2830",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/pull/2830"
},
{
"name": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5"
},
{
"name": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06"
},
{
"name": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v7.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v7.20.0"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v8.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v8.0.3"
}
],
"source": {
"advisory": "GHSA-f456-rf33-4626",
"discovery": "UNKNOWN"
},
"title": "Orval Mock Generation Code Injection via const"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24132",
"datePublished": "2026-01-22T23:47:45.846Z",
"dateReserved": "2026-01-21T18:38:22.474Z",
"dateUpdated": "2026-01-23T20:01:12.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23947 (GCVE-0-2026-23947)
Vulnerability from nvd – Published: 2026-01-20 00:19 – Updated: 2026-01-21 17:09
VLAI?
Title
Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation
Summary
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
>= 8.0.0-rc.0, < 8.0.2
Affected: < 7.19.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T17:04:30.700710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T17:04:37.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0-rc.0, \u003c 8.0.2"
},
{
"status": "affected",
"version": "\u003c 7.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785\u0027s fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T17:09:11.690Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v8.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v8.0.2"
}
],
"source": {
"advisory": "GHSA-h526-wf6g-67jv",
"discovery": "UNKNOWN"
},
"title": "Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23947",
"datePublished": "2026-01-20T00:19:48.901Z",
"dateReserved": "2026-01-19T14:49:06.311Z",
"dateUpdated": "2026-01-21T17:09:11.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22785 (GCVE-0-2026-22785)
Vulnerability from nvd – Published: 2026-01-12 18:43 – Updated: 2026-01-12 18:56
VLAI?
Title
orval MCP client is vulnerable to a code injection attack.
Summary
orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
< 7.18.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T18:56:42.000281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:56:50.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to \"break out\" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:43:16.637Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj"
},
{
"name": "https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d"
}
],
"source": {
"advisory": "GHSA-mwr6-3gp8-9jmj",
"discovery": "UNKNOWN"
},
"title": "orval MCP client is vulnerable to a code injection attack."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22785",
"datePublished": "2026-01-12T18:43:16.637Z",
"dateReserved": "2026-01-09T18:27:19.388Z",
"dateUpdated": "2026-01-12T18:56:50.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25141 (GCVE-0-2026-25141)
Vulnerability from cvelistv5 – Published: 2026-01-30 20:19 – Updated: 2026-01-30 20:19
VLAI?
Title
Orval has a code injection via unsanitized x-enum-descriptions uing JS comments
Summary
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
>= 7.19.0, < 7.21.0
Affected: >= 8.0.0, < 8.2.0 |
{
"containers": {
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.19.0, \u003c 7.21.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes (\u0027), double quotes (\") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T20:19:04.333Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q"
},
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv"
},
{
"name": "https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v7.21.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v7.21.0"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v8.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v8.2.0"
}
],
"source": {
"advisory": "GHSA-gch2-phqh-fg9q",
"discovery": "UNKNOWN"
},
"title": "Orval has a code injection via unsanitized x-enum-descriptions uing JS comments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25141",
"datePublished": "2026-01-30T20:19:04.333Z",
"dateReserved": "2026-01-29T15:39:11.820Z",
"dateUpdated": "2026-01-30T20:19:04.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24132 (GCVE-0-2026-24132)
Vulnerability from cvelistv5 – Published: 2026-01-22 23:47 – Updated: 2026-01-23 20:01
VLAI?
Title
Orval Mock Generation Code Injection via const
Summary
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions
7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
< 7.20.0
Affected: >= 8.0.0-rc.0, < 8.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T20:00:52.884919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T20:01:12.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.20.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-rc.0, \u003c 8.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions \n7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T23:47:45.846Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626"
},
{
"name": "https://github.com/orval-labs/orval/pull/2828",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/pull/2828"
},
{
"name": "https://github.com/orval-labs/orval/pull/2829",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/pull/2829"
},
{
"name": "https://github.com/orval-labs/orval/pull/2830",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/pull/2830"
},
{
"name": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5"
},
{
"name": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06"
},
{
"name": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v7.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v7.20.0"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v8.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v8.0.3"
}
],
"source": {
"advisory": "GHSA-f456-rf33-4626",
"discovery": "UNKNOWN"
},
"title": "Orval Mock Generation Code Injection via const"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24132",
"datePublished": "2026-01-22T23:47:45.846Z",
"dateReserved": "2026-01-21T18:38:22.474Z",
"dateUpdated": "2026-01-23T20:01:12.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23947 (GCVE-0-2026-23947)
Vulnerability from cvelistv5 – Published: 2026-01-20 00:19 – Updated: 2026-01-21 17:09
VLAI?
Title
Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation
Summary
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
>= 8.0.0-rc.0, < 8.0.2
Affected: < 7.19.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T17:04:30.700710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T17:04:37.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0-rc.0, \u003c 8.0.2"
},
{
"status": "affected",
"version": "\u003c 7.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785\u0027s fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T17:09:11.690Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv"
},
{
"name": "https://github.com/orval-labs/orval/releases/tag/v8.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/releases/tag/v8.0.2"
}
],
"source": {
"advisory": "GHSA-h526-wf6g-67jv",
"discovery": "UNKNOWN"
},
"title": "Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23947",
"datePublished": "2026-01-20T00:19:48.901Z",
"dateReserved": "2026-01-19T14:49:06.311Z",
"dateUpdated": "2026-01-21T17:09:11.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22785 (GCVE-0-2026-22785)
Vulnerability from cvelistv5 – Published: 2026-01-12 18:43 – Updated: 2026-01-12 18:56
VLAI?
Title
orval MCP client is vulnerable to a code injection attack.
Summary
orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orval-labs | orval |
Affected:
< 7.18.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T18:56:42.000281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:56:50.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "orval",
"vendor": "orval-labs",
"versions": [
{
"status": "affected",
"version": "\u003c 7.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to \"break out\" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:43:16.637Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj"
},
{
"name": "https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d"
}
],
"source": {
"advisory": "GHSA-mwr6-3gp8-9jmj",
"discovery": "UNKNOWN"
},
"title": "orval MCP client is vulnerable to a code injection attack."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22785",
"datePublished": "2026-01-12T18:43:16.637Z",
"dateReserved": "2026-01-09T18:27:19.388Z",
"dateUpdated": "2026-01-12T18:56:50.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}