Abhayclasher

**Name of the Vulnerable Software and Affected Versions** orpc versions prior to 1.13.9 **Description** orpc, a tool for building type-safe APIs adhering to OpenAPI standards, contains a stored cross-site scripting (XSS) issue in its OpenAPI documentation generation. An attacker controlling fields within the OpenAPI specification, such as `info.description`, can inject malicious JavaScript code. This code executes when a user views the generated API documentation. The issue stems from the use of `JSON.stringify()` without proper HTML escaping when embedding the OpenAPI specification into the HTML response within the `renderDocsHtml()` function in the packages/openapi/src/plugins/openapi-reference.ts file. Specifically, the lack of escaping allows attackers to break out of the JSON context using payloads like `</script><script>...` and execute arbitrary JavaScript. The `info.description` parameter is a key area for exploitation. Impact includes potential session hijacking or unauthorized API calls if an administrator or developer views the compromised documentation. **Recommendations** Versions prior to 1.13.9 should be updated to version 1.13.9 or later. Avoid using raw `JSON.stringify()` to embed data directly into HTML templates. Instead, safely serialize the JSON by escaping HTML-sensitive characters (like `<` and `>`) or use a secure HTML serialization library such as `serialize-javascript` or `devalue` before embedding it into the `<script>` tag.