CVE-2026-25141: CWE-94: Improper Control of Generation of Code ('Code Injection') in orval-labs orval
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
AI Analysis
Technical Summary
CVE-2026-25141 is a critical code injection vulnerability identified in orval, a tool that generates type-safe JavaScript (TypeScript) clients from OpenAPI v3 or Swagger v2 specifications. The vulnerability exists in versions starting from 7.19.0 up to but not including 7.21.0, and from 8.0.0 up to but not including 8.2.0, where an incomplete fix for a previous vulnerability (CVE-2026-23947) was implemented. The core issue lies in the insufficient sanitization of input strings used in code generation. While the jsStringEscape function correctly escapes common characters such as single and double quotes, it fails to escape certain special characters like square brackets ([]), parentheses (()), exclamation marks (!), and plus signs (+). An attacker can exploit this by leveraging a technique known as JSFuck, which encodes JavaScript code using only six characters, none of which are alphanumeric or quotes. This allows bypassing the sanitization logic and injecting arbitrary JavaScript code into the generated client code. The vulnerability does not require any authentication or user interaction, and the attack surface is network-exposed, making it highly exploitable remotely. Successful exploitation can lead to arbitrary code execution in the context where the generated client code runs, potentially compromising confidentiality, integrity, and availability of affected systems. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity with high impact on confidentiality, integrity, and availability, and low attack complexity. Versions 7.21.0 and 8.2.0 of orval contain updated fixes that properly address this injection vector by improving the sanitization logic. No known exploits are reported in the wild as of the publication date, but the ease of exploitation and critical impact warrant immediate attention.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those that incorporate orval-generated clients into their software development lifecycle or production environments. Exploitation can lead to arbitrary JavaScript execution, which may result in data theft, unauthorized access, or disruption of services. Industries with high reliance on JavaScript tooling, such as financial services, healthcare, and critical infrastructure, face heightened risks due to the potential for cascading effects from compromised client applications. The vulnerability's network-exploitable nature means attackers can remotely target vulnerable systems without prior access, increasing the threat landscape. Additionally, compromised client code can be propagated through supply chains, affecting multiple organizations downstream. The lack of required authentication or user interaction further amplifies the risk, making automated exploitation feasible. European data protection regulations, such as GDPR, impose strict requirements on data security; a breach resulting from this vulnerability could lead to regulatory penalties and reputational damage. Organizations using orval in continuous integration/continuous deployment (CI/CD) pipelines must be vigilant to prevent injection of malicious code into their software products.
Mitigation Recommendations
To mitigate CVE-2026-25141, European organizations should immediately upgrade orval to versions 7.21.0 or 8.2.0, which contain the updated fix addressing the code injection vulnerability. It is critical to audit all generated client code for suspicious patterns or injection attempts, especially if older versions were used recently. Incorporate static code analysis tools capable of detecting code injection risks in generated code. Review and harden CI/CD pipelines to ensure that only sanitized and verified OpenAPI specifications are processed by orval. Implement strict input validation and sanitization on all OpenAPI/Swagger specifications before client generation. Where possible, isolate orval-generated clients in sandboxed environments to limit the impact of potential exploitation. Monitor network traffic and application logs for anomalous JavaScript execution or injection indicators. Educate development teams about the risks of code injection and the importance of using updated tooling. Finally, maintain an inventory of software dependencies to quickly identify and remediate vulnerable versions of orval in use.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
CVE-2026-25141: CWE-94: Improper Control of Generation of Code ('Code Injection') in orval-labs orval
Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-25141 is a critical code injection vulnerability identified in orval, a tool that generates type-safe JavaScript (TypeScript) clients from OpenAPI v3 or Swagger v2 specifications. The vulnerability exists in versions starting from 7.19.0 up to but not including 7.21.0, and from 8.0.0 up to but not including 8.2.0, where an incomplete fix for a previous vulnerability (CVE-2026-23947) was implemented. The core issue lies in the insufficient sanitization of input strings used in code generation. While the jsStringEscape function correctly escapes common characters such as single and double quotes, it fails to escape certain special characters like square brackets ([]), parentheses (()), exclamation marks (!), and plus signs (+). An attacker can exploit this by leveraging a technique known as JSFuck, which encodes JavaScript code using only six characters, none of which are alphanumeric or quotes. This allows bypassing the sanitization logic and injecting arbitrary JavaScript code into the generated client code. The vulnerability does not require any authentication or user interaction, and the attack surface is network-exposed, making it highly exploitable remotely. Successful exploitation can lead to arbitrary code execution in the context where the generated client code runs, potentially compromising confidentiality, integrity, and availability of affected systems. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity with high impact on confidentiality, integrity, and availability, and low attack complexity. Versions 7.21.0 and 8.2.0 of orval contain updated fixes that properly address this injection vector by improving the sanitization logic. No known exploits are reported in the wild as of the publication date, but the ease of exploitation and critical impact warrant immediate attention.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those that incorporate orval-generated clients into their software development lifecycle or production environments. Exploitation can lead to arbitrary JavaScript execution, which may result in data theft, unauthorized access, or disruption of services. Industries with high reliance on JavaScript tooling, such as financial services, healthcare, and critical infrastructure, face heightened risks due to the potential for cascading effects from compromised client applications. The vulnerability's network-exploitable nature means attackers can remotely target vulnerable systems without prior access, increasing the threat landscape. Additionally, compromised client code can be propagated through supply chains, affecting multiple organizations downstream. The lack of required authentication or user interaction further amplifies the risk, making automated exploitation feasible. European data protection regulations, such as GDPR, impose strict requirements on data security; a breach resulting from this vulnerability could lead to regulatory penalties and reputational damage. Organizations using orval in continuous integration/continuous deployment (CI/CD) pipelines must be vigilant to prevent injection of malicious code into their software products.
Mitigation Recommendations
To mitigate CVE-2026-25141, European organizations should immediately upgrade orval to versions 7.21.0 or 8.2.0, which contain the updated fix addressing the code injection vulnerability. It is critical to audit all generated client code for suspicious patterns or injection attempts, especially if older versions were used recently. Incorporate static code analysis tools capable of detecting code injection risks in generated code. Review and harden CI/CD pipelines to ensure that only sanitized and verified OpenAPI specifications are processed by orval. Implement strict input validation and sanitization on all OpenAPI/Swagger specifications before client generation. Where possible, isolate orval-generated clients in sandboxed environments to limit the impact of potential exploitation. Monitor network traffic and application logs for anomalous JavaScript execution or injection indicators. Educate development teams about the risks of code injection and the importance of using updated tooling. Finally, maintain an inventory of software dependencies to quickly identify and remediate vulnerable versions of orval in use.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-29T15:39:11.820Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 697d1444ac0632022278962a
Added to database: 1/30/2026, 8:27:48 PM
Last enriched: 2/7/2026, 8:31:17 AM
Last updated: 3/24/2026, 4:43:43 PM
Views: 59
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.