CVE-2026-25141 - Vulnerability Details

Link	Providers
https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227
https://github.com/orval-labs/orval/releases/tag/v7.21.0
https://github.com/orval-labs/orval/releases/tag/v8.2.0
https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q
https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv

Type	Values Removed	Values Added
Description		Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.
Title		Orval has a code injection via unsanitized x-enum-descriptions uing JS comments
Weaknesses		CWE-94
References		https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227 https://github.com/orval-labs/orval/releases/tag/v7.21.0 https://github.com/orval-labs/orval/releases/tag/v8.2.0 https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25141", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.820Z", "datePublished": "2026-01-30T20:19:04.333Z", "dateUpdated": "2026-01-30T20:19:04.333Z"}, "containers": {"cna": {"title": "Orval has a code injection via unsanitized x-enum-descriptions uing JS comments", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q"}, {"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv"}, {"name": "https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227"}, {"name": "https://github.com/orval-labs/orval/releases/tag/v7.21.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/releases/tag/v7.21.0"}, {"name": "https://github.com/orval-labs/orval/releases/tag/v8.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/releases/tag/v8.2.0"}], "affected": [{"vendor": "orval-labs", "product": "orval", "versions": [{"version": ">= 7.19.0, < 7.21.0", "status": "affected"}, {"version": ">= 8.0.0, < 8.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T20:19:04.333Z"}, "descriptions": [{"lang": "en", "value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (\") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix."}], "source": {"advisory": "GHSA-gch2-phqh-fg9q", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (\") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix."}], "id": "CVE-2026-25141", "lastModified": "2026-01-30T21:15:58.603", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-30T21:15:58.603", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227"}, {"source": "security-advisories@github.com", "url": "https://github.com/orval-labs/orval/releases/tag/v7.21.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/orval-labs/orval/releases/tag/v8.2.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q"}, {"source": "security-advisories@github.com", "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object