Supply Chain Alert: Critical Code Injection Flaw (CVSS 9.3) in Orval

Developers relying on orval to generate type-safe clients from OpenAPI specifications are being urged to update immediately following the discovery of a critical code injection vulnerability. The flaw, tracked as CVE-2026-23947, carries a massive CVSS score of 9.3, threatening the software supply chain of millions of projects.

Orval is a heavyweight in the JavaScript ecosystem. The npm package has over 2 million downloads every month, making it a staple for teams automating the creation of TypeScript clients.

The vulnerability lies in how Orval processes specific fields within an OpenAPI specification. Attackers can leverage untrusted specs to inject malicious code directly into the generated client files.

According to the security advisory, the issue is rooted in the x-enum-descriptions field. “The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enum Descriptions field, which is embedded without proper escaping in getEnumImplementation()”.

Essentially, if a developer generates a client from a malicious or compromised API specification, the resulting code—which is assumed to be safe—could contain a hidden payload. The advisory confirms that “the injection occurs during const enum generation and results in executable code within the generated schema files”.

Interestingly, this isn’t the first time this specific pattern has caused trouble. The report notes that “this issue is similar in nature to the recently-patched MCP vulnerability (CVE-2026-22785), but affects a different code path in @orval/core that was not addressed by that fix”.

The consequences of this flaw are severe. Successful exploitation leads to “arbitrary code execution in environments consuming generated clients”. This means the malicious code executes not on the server hosting the API, but within the application of the developer or user who integrated the generated client.

The maintainers have released a patch to close this injection vector. Developers using the tool should upgrade to Orval 8.0.2 immediately to ensure their generated clients remain secure.

Related Posts:

• Windows 11 Gaming Guide: Microsoft’s Recommended PC Specs for 1080p to 4K
• FIDO Alliance Unveils New Draft Specifications for Secure Credential Exchange
• RAMageddon: Why Your Next Smartphone Will Cost 7% More with Worse Specs in 2026
• AWS Unveils Kiro: The AI Agent IDE Revolutionizing Development from Concept to Code