DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F456-RF33-4626: Mocking the Mock: RCE via Orval Code Generation

#security #cve #cybersecurity #ghsa

Mocking the Mock: RCE via Orval Code Generation

Vulnerability ID: GHSA-F456-RF33-4626
CVSS Score: 8.6
Published: 2026-01-22

A high-severity code injection vulnerability in the @orval/mock package allows attackers to execute arbitrary code on developer machines and CI/CD pipelines by embedding malicious payloads in OpenAPI 'const' definitions.

TL;DR

Orval, a popular OpenAPI-to-TypeScript generator, failed to sanitize const values from OpenAPI 3.1.0 specifications before writing them to disk. By crafting a malicious schema, an attacker can break out of the generated string literals and inject JavaScript commands. When developers generate mocks or run tests, this code executes instantly. The fix involves replacing naive string interpolation with JSON.stringify().

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-94 (Code Injection)
  • Severity: High
  • CVSS Estimate: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • Attack Vector: Spec File Injection
  • Exploit Status: Proof of Concept Available
  • Patch: JSON.stringify() implementation

Affected Systems

  • @orval/mock < 7.20.0
  • @orval/mock < 8.0.3
  • Node.js Development Environments
  • CI/CD Pipelines running Orval
  • @orval/mock: < 7.20.0 (Fixed in: 7.20.0)
  • @orval/mock: >= 8.0.0 < 8.0.3 (Fixed in: 8.0.3)

Code Analysis

Commit: 44ca8c1

Initial fix attempt using custom escaping

- value = '' + item.const
+ value = jsStringEscape(item.const)
Enter fullscreen mode Exit fullscreen mode

Commit: 9b211cd

Final robust fix using JSON.stringify

- value = jsStringEscape(item.const)
+ value = JSON.stringify(item.const)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Proof of Concept demonstrating process execution via const injection

Mitigation Strategies

  • Input Sanitization
  • Dependency Updates
  • Least Privilege for CI/CD

Remediation Steps:

  1. Check current version: npm list @orval/mock
  2. Update package: npm install @orval/mock@latest or specifically >=7.20.0 / >=8.0.3
  3. Regenerate mocks to ensure existing malicious files are overwritten with safe versions
  4. Review git history for changes to openapi.yaml or generated mock files that look suspicious

References

Read the full report for GHSA-F456-RF33-4626 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)