CVE-2026-24132

Name of the Vulnerable Software and Affected Versions Orval versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2

Description Orval generates type-safe JavaScript clients from OpenAPI specifications. The software allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files through the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization. This results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The issue is similar to a previously reported issue affecting a different code path.

Recommendations Orval versions 7.20.0 and 8.0.3 or later should be used.