Cyber Resilience

CVE-2026-25141

CriticalRCE

Published: 30 January 2026

Published
30 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 44.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25141 is a critical-severity Code Injection (CWE-94) vulnerability in Orval Orval. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25141 is a code injection vulnerability (CWE-94) in Orval, a tool that generates type-safe JavaScript/TypeScript clients from OpenAPI v3 or Swagger v2 specifications. It stems from an incomplete fix for CVE-2026-23947 in Orval versions starting from 7.19.0 and prior to 7.21.0, as well as versions prior to 8.2.0. The issue resides in the jsStringEscape function within Orval's core utilities, which adequately escapes quotes but fails to handle certain characters like [], (), !, and +. This allows attackers to bypass sanitization using JSFuck techniques to craft payloads that execute arbitrary JavaScript without alphanumeric characters or quotes. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).

Any remote attacker with network access can exploit this vulnerability without authentication, privileges, or user interaction (AV:N/AC:L/PR:N/UI:N). By supplying a malicious OpenAPI or Swagger specification to a vulnerable Orval instance, an attacker can force the execution of arbitrary JavaScript code during client generation. Successful exploitation grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially leading to full compromise of the developer's machine running Orval, such as data theft, malware deployment, or further lateral movement.

Orval's security advisories (GHSA-gch2-phqh-fg9q and GHSA-h526-wf6g-67jv) and release notes for versions 7.21.0 and 8.2.0 detail an updated fix to the jsStringEscape function that addresses the bypass. Security practitioners should immediately upgrade affected Orval installations to version 7.21.0 or later for the 7.x branch, or 8.2.0 or later for the 8.x branch, and review any generated clients from untrusted specifications. The specific code changes are visible in the Orval repository at packages/core/src/utils/string.ts.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('),…

more

double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Code injection (CWE-94) in Orval enables remote unauthenticated attackers to supply malicious OpenAPI/Swagger specs that trigger arbitrary JavaScript execution via incomplete escaping/JSFuck bypass in jsStringEscape, directly facilitating T1190 (network-accessible app exploitation) and T1059.007 (JavaScript command interpreter abuse) for full host compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23947Same product: Orval Orval
CVE-2026-24132Same product: Orval Orval
CVE-2026-22785Same product: Orval Orval
CVE-2025-26260Shared CWE-94
CVE-2026-26954Shared CWE-94
CVE-2026-41507Shared CWE-94
CVE-2025-12735Shared CWE-94
CVE-2026-25887Shared CWE-94
CVE-2026-33881Shared CWE-94
CVE-2025-23061Shared CWE-94

Affected Assets

orval
orval
7.19.0 — 7.21.0 · 8.0.0 — 8.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of Orval to fixed versions 7.21.0 or 8.2.0, directly addressing the incomplete jsStringEscape fix for JSFuck-based code injection.

prevent

Validates OpenAPI/Swagger specification inputs to Orval, preventing malicious payloads using characters like [], (), !, + from bypassing sanitization.

detect

Monitors system processes and verifies integrity during Orval client generation to detect unauthorized JavaScript execution from injected code.

References