DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24132: CVE-2026-24132: Orval's Mock Generator Did What You Told It To (And That's The Problem)

#security #cve #cybersecurity

CVE-2026-24132: Orval's Mock Generator Did What You Told It To (And That's The Problem)

Vulnerability ID: CVE-2026-24132
CVSS Score: 7.7
Published: 2026-01-22

A critical code injection vulnerability in Orval's mock generator allows attackers to execute arbitrary code on developer machines via malicious OpenAPI specifications. By exploiting how const values are interpolated into generated TypeScript files, an attacker can turn a simple API contract update into a full-blown supply chain compromise.

TL;DR

Orval, a tool used to generate TypeScript code from OpenAPI specs, failed to safely sanitize const values in its @orval/mock package. Attackers can inject malicious JavaScript into schema files. When a developer generates mocks and runs them (e.g., during tests), the injected code executes. This is a classic supply chain attack vector targeting the build pipeline.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-77 (Improper Neutralization of Special Elements used in a Command)
  • CVSS v4.0: 7.7 (High)
  • Attack Vector: Network (Malicious Spec File)
  • Impact: Remote Code Execution (RCE)
  • Vulnerable Component: @orval/mock (getMockScalar)
  • Fix Method: Use JSON.stringify() instead of manual escaping

Affected Systems

  • Orval CLI
  • Developer Workstations
  • CI/CD Pipelines running Orval
  • Orval: <= 7.19.0 (Fixed in: 7.20.0)
  • Orval: 8.0.0-rc.0 - 8.0.2 (Fixed in: 8.0.3)

Code Analysis

Commit: 9b211cd

Fix injection in v8 branch via JSON.stringify

- value = `'${jsStringEscape((item as OpenApiSchemaObject).const)}'`;
+ value = JSON.stringify((item as OpenApiSchemaObject).const);
Enter fullscreen mode Exit fullscreen mode

Commit: 6966fe8

Backport fix to v7 branch

- value = jsStringEscape(item.const);
+ value = JSON.stringify(item.const);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update @orval/mock and related packages immediately.
  • Treat OpenAPI specifications as untrusted code inputs.
  • Pin versions of generator tools in package.json to avoid accidental regression.

Remediation Steps:

  1. Check your package.json for orval version.
  2. Run npm install orval@latest or yarn upgrade orval.
  3. Verify the installed version is >= 7.20.0 or >= 8.0.3.
  4. Regenerate your mocks to ensure clean files.

References

Read the full report for CVE-2026-24132 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)