Comment Injection to RCE: Breaking Orval with JSDoc
Vulnerability ID: CVE-2026-23947
CVSS Score: 9.3
Published: 2026-01-20
A critical vulnerability in the Orval code generator allows attackers to achieve remote code execution (RCE) by injecting malicious payloads into OpenAPI specification descriptions. The generator failed to sanitize JSDoc comments, allowing arbitrary JavaScript execution.
TL;DR
Orval trusted the x-enumDescriptions field in OpenAPI specs a bit too much. By inserting a JSDoc closer */ followed by JavaScript code, attackers can trick the generator into producing valid TypeScript files that execute arbitrary commands immediately upon import or compilation. Fixed in version 8.0.2.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-77
- Attack Vector: Network
- CVSS 4.0: 9.3 (Critical)
- Impact: Arbitrary Code Execution
- Vulnerable Component: getEnumDescriptions / getEnumNames
- Exploit Status: Proof of Concept Available
Affected Systems
- Orval CLI
- @orval/core
- Node.js environments using generated clients
- CI/CD pipelines processing OpenAPI specs
-
@orval/core: >= 7.10.0, < 8.0.2 (Fixed in:
8.0.2)
Code Analysis
Commit: 9e5d935
fix: sanitize x-enumNames and x-enumDescriptions to prevent injection
export function getEnumDescriptions(...) { ... return (descriptions as string[]).map((d) => jsStringEscape(d)); }
Exploit Details
- GitHub Security Advisory: Advisory containing the PoC payload
Mitigation Strategies
- Input Sanitization
- Dependency Management
- Least Privilege
Remediation Steps:
- Update
orvaland@orval/corepackages to version8.0.2or later. - Regenerate all client code to ensure no malicious artifacts persist.
- Audit any external OpenAPI specifications currently in use for suspicious comment terminators (
*/).
References
Read the full report for CVE-2026-23947 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)