CVE-2026-25141 in orval
Summary
by MITRE • 01/30/2026
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability described in CVE-2026-25141 affects Orval, a tool that generates type-safe JavaScript clients from OpenAPI v3 or Swagger v2 specifications. This tool is widely used in API development workflows to automatically create client-side code that adheres to specified API contracts. The issue manifests in versions starting with 7.19.0 up to but not including 7.21.0 and 8.2.0, representing a regression in the security measures that were previously implemented to address similar concerns. The vulnerability stems from an incomplete remediation of a prior issue identified as CVE-2026-23947, which demonstrates how security fixes can sometimes be insufficient if they don't account for all possible attack vectors.
The technical flaw resides in the jsStringEscape function's handling of special characters within the code generation process. While the function correctly escapes common problematic characters such as single quotes, double quotes, and other typical escape sequences, it fails to properly sanitize a specific set of characters that can be leveraged for code injection attacks. These characters include brackets [], parentheses (), exclamation marks !, and plus signs +, which when combined in specific patterns can trigger JavaScript execution. This particular weakness allows attackers to bypass the existing sanitization logic through what is known as JSFuck techniques, a method of writing JavaScript code using only a limited set of characters. The JSFuck approach enables attackers to construct arbitrary JavaScript payloads without requiring alphanumeric characters or standard quote marks, making the attack surface particularly concerning given the broad use of the affected tool in development environments.
The operational impact of this vulnerability is significant within development and deployment pipelines that rely on Orval for client generation. An attacker who can influence the OpenAPI specification used by Orval could potentially inject malicious JavaScript code that would be executed during the client generation process. This code injection could occur in environments where developers use Orval to generate client code from specifications provided by external sources or untrusted parties. The vulnerability creates a potential vector for remote code execution within development environments, as the generated JavaScript code might be executed in contexts where it could access sensitive data or perform unauthorized operations. The attack technique's ability to bypass sanitization without requiring traditional escape characters makes it particularly stealthy and difficult to detect through conventional security scanning approaches.
The remediation implemented in versions 7.21.0 and 8.2.0 addresses the incomplete fix by providing a more comprehensive sanitization approach that accounts for the JSFuck attack patterns and other potential bypass techniques. This updated fix likely implements broader character filtering mechanisms that prevent the use of potentially dangerous JavaScript syntax elements during the code generation process. Organizations using Orval should immediately upgrade to the patched versions to eliminate this vulnerability from their development workflows. The vulnerability aligns with CWE-74 and CWE-94 categories, representing weaknesses in input validation and code injection that can lead to arbitrary code execution. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and scripting interpreters for execution and input validation, potentially enabling adversaries to establish persistent access within development environments through compromised code generation processes. The incident underscores the importance of thorough security testing, particularly for tools that generate executable code, and demonstrates how seemingly minor gaps in sanitization logic can create significant security risks in development toolchains.