Skip to content

2026-01-31 — Orval codegen code injection via comment break-out (CVE-2026-25141)

What happened

Orval (OpenAPI client code generator) has a code injection issue where attacker-controlled spec metadata (notably x-enumDescriptions) can be embedded into generated output in a way that allows breaking out of JavaScript comments using */ and injecting arbitrary code.

This is especially risky when codegen runs automatically in CI, or when specs are pulled from untrusted sources.

The advisory notes this as an incomplete fix to CVE-2026-23947.

Who should care

  • Teams using Orval in CI/CD pipelines
  • Anyone generating code from specs that can be modified by:
  • untrusted PRs
  • third-party integrations
  • remote URLs / registries

What to do

  1. Upgrade Orval to a fixed version:
  2. v7.21.0 (or later)
  3. v8.2.0 (or later)
  4. CI hardening: treat specs as untrusted input.
  5. Run codegen in a sandboxed, least-privileged environment.
  6. Don’t run privileged codegen on untrusted PRs.
  7. Require review for generated diffs.
  8. General guidance: see Code generation: treat specs as untrusted input

Detection / triage

  • Look for unexpected changes in generated code, especially around comments/docstrings.
  • If you run codegen on untrusted inputs with secrets available, treat it as a potential CI compromise.

References

  • GitHub Advisory: https://github.com/advisories/GHSA-gch2-phqh-fg9q
  • NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25141
  • Prior related advisory: https://github.com/advisories/GHSA-h526-wf6g-67jv