A critical vulnerability in Orval, tracked as CVE-2026-25141, has been disclosed with a severity rating of 9.3 and could enable code injection across millions of projects. Orval, a tool that generates type-safe TypeScript API clients from OpenAPI specifications, embeds OpenAPI field descriptions into JavaScript comments, and the issue arises from inadequate sanitisation of input in x-enum-descriptions when generating code.
By inserting the sequence */ into a description, an attacker can prematurely close a comment block, causing subsequent text to be treated as executable code. The vulnerability is described as a bypass of a previous patch for CVE-2026-23947, and versions >= 7.19.0 remain at risk unless updated. Patches have been released for 7.21.0 and 8.2.0, and the maintainers urge developers using Orval to upgrade promptly; Orval is stated to have over 2.8 million downloads each month. According to the security advisory, developers should audit pipelines to remove vulnerable versions from use.