{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24132", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-21T18:38:22.474Z", "datePublished": "2026-01-22T23:47:45.846Z", "dateUpdated": "2026-01-23T20:01:12.356Z"}, "containers": {"cna": {"title": "Orval Mock Generation Code Injection via const", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626"}, {"name": "https://github.com/orval-labs/orval/pull/2828", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/pull/2828"}, {"name": "https://github.com/orval-labs/orval/pull/2829", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/pull/2829"}, {"name": "https://github.com/orval-labs/orval/pull/2830", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/pull/2830"}, {"name": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5"}, {"name": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06"}, {"name": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62"}, {"name": "https://github.com/orval-labs/orval/releases/tag/v7.20.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/releases/tag/v7.20.0"}, {"name": "https://github.com/orval-labs/orval/releases/tag/v8.0.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/orval-labs/orval/releases/tag/v8.0.3"}], "affected": [{"vendor": "orval-labs", "product": "orval", "versions": [{"version": "< 7.20.0", "status": "affected"}, {"version": ">= 8.0.0-rc.0, < 8.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T23:47:45.846Z"}, "descriptions": [{"lang": "en", "value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions \n7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3."}], "source": {"advisory": "GHSA-f456-rf33-4626", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:00:52.884919Z", "id": "CVE-2026-24132", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:01:12.356Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Orval Mock Generation Code Injection via const", "source": {"advisory": "GHSA-f456-rf33-4626", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "orval-labs", "product": "orval", "versions": [{"status": "affected", "version": "< 7.20.0"}, {"status": "affected", "version": ">= 8.0.0-rc.0, < 8.0.3"}]}], "references": [{"url": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626", "name": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/orval-labs/orval/pull/2828", "name": "https://github.com/orval-labs/orval/pull/2828", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/orval-labs/orval/pull/2829", "name": "https://github.com/orval-labs/orval/pull/2829", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/orval-labs/orval/pull/2830", "name": "https://github.com/orval-labs/orval/pull/2830", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5", "name": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06", "name": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62", "name": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/orval-labs/orval/releases/tag/v7.20.0", "name": "https://github.com/orval-labs/orval/releases/tag/v7.20.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/orval-labs/orval/releases/tag/v8.0.3", "name": "https://github.com/orval-labs/orval/releases/tag/v8.0.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions \n7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T23:47:45.846Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24132", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T20:00:52.884919Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-23T20:01:01.841Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-24132", "state": "PUBLISHED", "dateUpdated": "2026-01-22T23:47:45.846Z", "dateReserved": "2026-01-21T18:38:22.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T23:47:45.846Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orval:orval:*:*:*:*:*:*:*:*", "matchCriteriaId": "58823C13-79AA-42F4-8F1F-E045A6C80548", "versionEndExcluding": "7.20.0", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:orval:orval:*:*:*:*:*:*:*:*", "matchCriteriaId": "9EE654F7-9C50-4514-AB35-B1E38D04F231", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions \n7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3."}], "id": "CVE-2026-24132", "lastModified": "2026-02-27T19:00:40.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-23T00:15:52.403", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/orval-labs/orval/pull/2828"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/orval-labs/orval/pull/2829"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/orval-labs/orval/pull/2830"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/orval-labs/orval/releases/tag/v7.20.0"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/orval-labs/orval/releases/tag/v8.0.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:21:27.325864+00:00", "value": {"mitigation_remediation": ["Upgrade Orval to version\u202f7.20.0 or newer, or to version\u202f8.0.3 or newer, to apply the vendor patch.", "If an upgrade is not immediately possible, restrict Orval to trusted, internally vetted OpenAPI specifications and prevent the tool from consuming arbitrary external documents.", "Verify that the mock generation pipeline does not process untrusted specifications at runtime and manually review any generated code for unexpected const values before deployment."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Orval library from orval\u2011labs. Versions 7.19.0 and all earlier releases, as well as 8.0.0\u2011rc.0 through 8.0.2, are impacted. The issue is resolved in 7.20.0 and later, and in 8.0.3 and later. No other vendors or versions are affected.", "description_and_impact": "Orval produces type\u2011safe TS clients from OpenAPI specs. In vulnerable versions the const keyword on schema properties is interpolated directly into mock files without proper escaping, allowing a malicious OpenAPI to inject arbitrary TypeScript or JavaScript. The injected code ends up in the generated interfaces and MSW handlers; when these mocks are imported or executed, the attacker\u2019s code runs. The likely attack vector is an attacker supplying a crafted OpenAPI file during the build or CI process, which is not explicitly stated in the CVE but inferred from the description.", "risk_and_exploitability": "CVSS score 7.7 indicates a high severity. The EPSS score is less than 1\u202f%, signalling a low expected exploitation frequency. It is not listed in CISA\u2019s KEV catalog. Exploitation requires a build\u2011time or CI system that processes untrusted OpenAPI documents. If an attacker can control the spec fed to Orval, the injected code is generated and will run in any runtime that imports the mock modules. Because the flaw manifests during code generation, it must be mitigated at development or build time rather than at application runtime."}}}}, "created": "2026-01-23T10:27:04.929255+00:00", "updated": "2026-04-18T15:30:03.954208+00:00", "vendors": ["orval-labs", "orval-labs$PRODUCT$orval"]}