CVE-2026-25141
📋 TL;DR
This CVE describes a code injection vulnerability in Orval, a tool that generates TypeScript clients from OpenAPI/Swagger specifications. The incomplete fix for CVE-2026-23947 allows attackers to bypass sanitization using JSFuck techniques, enabling arbitrary JavaScript execution without alphanumeric characters or quotes. Users of Orval versions 7.19.0 through 7.20.x and 8.0.0 through 8.1.x are affected.
💻 Affected Systems
- Orval
📦 What is this software?
Orval by Orval
Orval by Orval
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of applications using vulnerable Orval-generated clients, allowing remote code execution, data theft, and system takeover.
Likely Case
Arbitrary JavaScript execution in client-side applications, potentially leading to XSS, session hijacking, or data manipulation.
If Mitigated
Limited impact with proper input validation and output encoding in addition to Orval's sanitization.
🎯 Exploit Status
JSFuck technique requires specific character combinations but is well-documented and can be automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.21.0 or 8.2.0
Vendor Advisory: https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q
Restart Required: No
Instructions:
1. Update Orval to version 7.21.0 or 8.2.0 using npm: 'npm update orval' or 'yarn upgrade orval'. 2. Regenerate all TypeScript clients using the updated version. 3. Redeploy applications using the regenerated clients.
🔧 Temporary Workarounds
Input Validation
allImplement strict input validation on all user-controlled data before passing to Orval-generated clients.
Output Encoding
allApply additional output encoding in applications using Orval-generated clients.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) to limit script execution
- Isolate applications using vulnerable Orval versions behind WAF with JS injection rules
🔍 How to Verify
Check if Vulnerable:
Check package.json for Orval version: if version is >=7.19.0 and <7.21.0, or >=8.0.0 and <8.2.0, you are vulnerable.Check Version:
npm list orval | grep orval OR npx orval --versionVerify Fix Applied:
After updating, verify Orval version is 7.21.0+ or 8.2.0+ and regenerate clients.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns
- JSFuck-like character sequences ([, ], (, ), !, +) in inputs
Network Indicators:
- Suspicious payloads containing only []()!+ characters in API requests
SIEM Query:
source="web_logs" AND (url="*orval*" OR user_agent="*orval*") AND (request_body="*[[]()!+]*" OR request_body="*JSFuck*")🔗 References
- https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227
- https://github.com/orval-labs/orval/releases/tag/v7.21.0
- https://github.com/orval-labs/orval/releases/tag/v8.2.0
- https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q
- https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv
