Mocking the Mock: RCE via Orval Code Generation
Jan 22, 2026·5 min read·6 visits
Executive Summary (TL;DR)
Orval, a popular OpenAPI-to-TypeScript generator, failed to sanitize `const` values from OpenAPI 3.1.0 specifications before writing them to disk. By crafting a malicious schema, an attacker can break out of the generated string literals and inject JavaScript commands. When developers generate mocks or run tests, this code executes instantly. The fix involves replacing naive string interpolation with `JSON.stringify()`.
A high-severity code injection vulnerability in the @orval/mock package allows attackers to execute arbitrary code on developer machines and CI/CD pipelines by embedding malicious payloads in OpenAPI 'const' definitions.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@orval/mock Orval | < 7.20.0 | 7.20.0 |
@orval/mock Orval | >= 8.0.0 < 8.0.3 | 8.0.3 |
| Attribute | Detail |
|---|---|
| CWE | CWE-94 (Code Injection) |
| Severity | High |
| CVSS Estimate | 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Attack Vector | Spec File Injection |
| Exploit Status | Proof of Concept Available |
| Patch | JSON.stringify() implementation |
MITRE ATT&CK Mapping
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.