Alerts

Critical Code Injection Flaw in Orval Threatens JavaScript Supply Chain (CVE-2026-23947)

Zero Day Wire

1 min read
Critical Code Injection Flaw in Orval Threatens JavaScript Supply Chain (CVE-2026-23947)

Developers using Orval to generate type-safe clients from OpenAPI specifications are being urged to update immediately after the discovery of a critical code injection vulnerability that threatens the JavaScript supply chain.

The flaw, tracked as CVE-2026-23947, carries a CVSS score of 9.3 and allows attackers to execute arbitrary code in any environment consuming generated clients.

Massive Attack Surface

Orval is a widely adopted tool in the JavaScript ecosystem, with over 2 million npm downloads per month. Teams use it to automate the creation of TypeScript clients from OpenAPI specifications—meaning a single malicious specification could compromise countless downstream projects.

How It Works

The vulnerability exists in the getEnumImplementation() function within @orval/core. The x-enumDescriptions field is embedded into generated code without proper escaping, allowing attackers to inject arbitrary TypeScript/JavaScript that executes when the generated schema files are loaded.

A proof-of-concept demonstrates the attack:

yaml

components:
  schemas:
    EvilEnum:
      type: string
      enum:
        - PWNED
      x-enumDescriptions:
        - "pwned */ require('child_process').execSync('id'); /*"

When Orval processes this malicious OpenAPI specification, the injected code breaks out of the enum description context and executes system commands—in this case, running id via Node.js child process.

Supply Chain Implications

The attack vector is particularly dangerous because:

  • Developers often consume third-party OpenAPI specs from external APIs
  • Generated code is typically trusted and not manually reviewed
  • The malicious payload executes automatically when the generated client is imported
  • CI/CD pipelines running code generation could be compromised

This vulnerability is similar to the recently patched CVE-2026-22785, which affected a different code path in Orval's MCP handling. The current flaw was not addressed by that fix.

Remediation

Upgrade to Orval 8.0.2 immediately.

Organizations should also:

  • Audit any OpenAPI specifications sourced from untrusted third parties
  • Review recently generated client code for suspicious patterns
  • Consider validating OpenAPI specs before processing them with code generators

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire