CVE-2026-25141

Name of the Vulnerable Software and Affected Versions Orval versions 7.19.0 through 7.20.9 Orval versions 8.0.0 through 8.1.9

Description Orval, a tool that generates type-safe JavaScript clients from OpenAPI specifications, is affected by a code injection issue. The jsStringEscape function does not adequately sanitize input, allowing attackers to inject and execute arbitrary JavaScript code using a limited set of characters, including []()!+. This is achieved through a technique known as JSFuck, which enables code execution without relying on alphanumeric characters or quotes.

Recommendations Update to Orval version 7.21.0 or later. Update to Orval version 8.2.0 or later.