CVE-2026-25141 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting orval, a popular tool that generates type-safe JavaScript (TypeScript) clients from OpenAPI v3 or Swagger v2 specifications. The vulnerability exists in versions starting from 7.19.0 up to but not including 7.21.0, and from 8.0.0 up to but not including 8.2.0. It stems from an incomplete fix for a previous vulnerability (CVE-2026-23947) where the sanitization function jsStringEscape correctly escaped common characters such as single and double quotes but failed to escape certain special characters like square brackets ([]), parentheses (()), exclamation marks (!), and plus signs (+). Attackers can exploit this by leveraging a technique called JSFuck, which encodes JavaScript code using only six characters ([]()!+), bypassing the sanitization logic entirely. This allows execution of arbitrary JavaScript code within the generated client code, leading to potential remote code execution or injection attacks. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely. The CVSS 4.0 base score is 9.3, reflecting its critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the vulnerability poses a significant risk to any organization using affected orval versions in their software development lifecycle. Versions 7.21.0 and 8.2.0 contain updated fixes that properly address the sanitization gaps. Organizations should prioritize upgrading to these versions to mitigate the risk.

The vulnerability allows attackers to inject and execute arbitrary JavaScript code in the context of applications using orval-generated clients. For European organizations, this can lead to severe consequences including unauthorized data access or modification (confidentiality and integrity breaches), disruption of services (availability impact), and potential compromise of downstream systems consuming orval-generated code. Since orval is used to automate client generation for APIs, exploitation could propagate malicious code into multiple internal or external services, amplifying the attack surface. This is particularly critical for sectors with stringent data protection requirements such as finance, healthcare, and government, where API integrations are common and data sensitivity is high. The lack of authentication or user interaction requirements means attackers can exploit this remotely and at scale, increasing the risk of widespread impact. Additionally, compromised build pipelines or CI/CD environments using vulnerable orval versions could lead to supply chain attacks affecting multiple organizations.

1. Immediately upgrade all orval instances to versions 7.21.0 or 8.2.0 or later, which contain the updated fix for this vulnerability. 2. Audit all build and CI/CD pipelines to identify usage of orval and verify the version in use. 3. Review generated client code for any suspicious or unexpected JavaScript code that could indicate exploitation attempts. 4. Implement strict code review and static analysis tools focused on detecting code injection patterns in generated code. 5. Restrict network access to build environments and limit exposure of API clients generated by orval to trusted systems only. 6. Monitor logs and alerts for anomalous behavior related to orval-generated clients, including unexpected script execution or API calls. 7. Educate development teams about the risks of code injection in generated code and encourage prompt patching of dependencies. 8. Consider employing runtime application self-protection (RASP) or web application firewalls (WAF) that can detect and block malicious JavaScript execution patterns.