CVE-2026-24132
Published: 23 January 2026
Summary
CVE-2026-24132 is a critical-severity Command Injection (CWE-77) vulnerability in Orval Orval. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation ensures vulnerable Orval versions are patched to fixed releases (7.20.0 or 8.0.3), preventing code injection from untrusted OpenAPI const properties.
Information input validation sanitizes or rejects untrusted OpenAPI specifications before processing in Orval, blocking arbitrary TypeScript/JavaScript injection via schema const keywords.
Vulnerability monitoring and scanning identifies Orval installations affected by CVE-2026-24132, enabling prompt patching or removal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct code injection into generated JS/TS mock files via malicious OpenAPI input enables arbitrary JavaScript execution (T1059.007) when the output is loaded/run; the flaw in client-side code generator constitutes exploitation for client execution (T1203).
NVD Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on…
more
schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.
Deeper analysisAI
CVE-2026-24132 is a code injection vulnerability in Orval, a tool that generates type-safe JavaScript/TypeScript clients from OpenAPI v3 or Swagger v2 specifications. Affected versions include 7.19.0 and earlier, as well as 8.0.0-rc.0 through 8.0.2. The flaw occurs when untrusted OpenAPI specifications use the "const" keyword on schema properties, allowing arbitrary TypeScript/JavaScript to be injected into generated mock files. These values are interpolated without proper escaping or serialization in the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts), leading to attacker-controlled code in interface definitions and faker/MSW handlers. The issue is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-77 (Command Injection) and CWE-94 (Code Injection).
Attackers can exploit this by supplying a malicious OpenAPI specification to any user or system running vulnerable Orval versions during code generation. No privileges or user interaction are required, enabling remote exploitation over the network. Successful injection results in arbitrary code execution within the generated mock files, potentially compromising development environments, CI/CD pipelines, or applications that load and use these mocks. The impact mirrors a prior issue with enum x-enumDescriptions (GHSA-h526-wf6g-67jv) but targets a distinct code path in the faker-based mock generator.
Mitigation involves updating to Orval versions 7.20.0 or 8.0.3, where the issue is fixed. Relevant patches are detailed in GitHub commits 44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5, 6d8ece07ccb80693ad43edabccb3957aceadcd06, and 9b211cddc9f009f8a671e4ac6cb72cd8646b62, along with pull requests 2828 and 2829.
Details
- CWE(s)