Cyber Posture

CVE-2026-25141

CriticalRCE

Published: 30 January 2026

Published
30 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25141 is a critical-severity Code Injection (CWE-94) vulnerability in Orval Orval. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely patching of Orval to fixed versions 7.21.0 or 8.2.0, directly addressing the incomplete jsStringEscape fix for JSFuck-based code injection.

SI-10 Information Input Validation good match
prevent

Validates OpenAPI/Swagger specification inputs to Orval, preventing malicious payloads using characters like [], (), !, + from bypassing sanitization.

SI-7 Software, Firmware, and Information Integrity partial match
detect

Monitors system processes and verifies integrity during Orval client generation to detect unauthorized JavaScript execution from injected code.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Code injection (CWE-94) in Orval enables remote unauthenticated attackers to supply malicious OpenAPI/Swagger specs that trigger arbitrary JavaScript execution via incomplete escaping/JSFuck bypass in jsStringEscape, directly facilitating T1190 (network-accessible app exploitation) and T1059.007 (JavaScript command interpreter abuse) for full host compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('),…

more

double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.

Deeper analysisAI

CVE-2026-25141 is a code injection vulnerability (CWE-94) in Orval, a tool that generates type-safe JavaScript/TypeScript clients from OpenAPI v3 or Swagger v2 specifications. It stems from an incomplete fix for CVE-2026-23947 in Orval versions starting from 7.19.0 and prior to 7.21.0, as well as versions prior to 8.2.0. The issue resides in the jsStringEscape function within Orval's core utilities, which adequately escapes quotes but fails to handle certain characters like [], (), !, and +. This allows attackers to bypass sanitization using JSFuck techniques to craft payloads that execute arbitrary JavaScript without alphanumeric characters or quotes. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).

Any remote attacker with network access can exploit this vulnerability without authentication, privileges, or user interaction (AV:N/AC:L/PR:N/UI:N). By supplying a malicious OpenAPI or Swagger specification to a vulnerable Orval instance, an attacker can force the execution of arbitrary JavaScript code during client generation. Successful exploitation grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially leading to full compromise of the developer's machine running Orval, such as data theft, malware deployment, or further lateral movement.

Orval's security advisories (GHSA-gch2-phqh-fg9q and GHSA-h526-wf6g-67jv) and release notes for versions 7.21.0 and 8.2.0 detail an updated fix to the jsStringEscape function that addresses the bypass. Security practitioners should immediately upgrade affected Orval installations to version 7.21.0 or later for the 7.x branch, or 8.2.0 or later for the 8.x branch, and review any generated clients from untrusted specifications. The specific code changes are visible in the Orval repository at packages/core/src/utils/string.ts.

Details

CWE(s)
CWE-94

Affected Products

orval
orval
7.19.0 — 7.21.0 · 8.0.0 — 8.2.0

CVEs Like This One

CVE-2026-23947Same product: Orval Orval
CVE-2026-24132Same product: Orval Orval
CVE-2026-22785Same product: Orval Orval
CVE-2026-25887Shared CWE-94
CVE-2026-4800Shared CWE-94
CVE-2026-40911Shared CWE-94
CVE-2025-1302Shared CWE-94
CVE-2026-33943Shared CWE-94
CVE-2025-26260Shared CWE-94
CVE-2026-1615Shared CWE-94

References