Alerts

Critical Code Injection Flaw in Orval Threatens JavaScript Supply Chain (CVE-2026-23947)

Zero Day Wire

1 min read
Share
Critical Code Injection Flaw in Orval Threatens JavaScript Supply Chain (CVE-2026-23947)

Developers using Orval to generate type-safe clients from OpenAPI specifications are being urged to update immediately after the discovery of a critical code injection vulnerability that threatens the JavaScript supply chain.

The flaw, tracked as CVE-2026-23947, carries a CVSS score of 9.3 and allows attackers to execute arbitrary code in any environment consuming generated clients.

Massive Attack Surface

Orval is a widely adopted tool in the JavaScript ecosystem, with over 2 million npm downloads per month. Teams use it to automate the creation of TypeScript clients from OpenAPI specifications—meaning a single malicious specification could compromise countless downstream projects.

How It Works

The vulnerability exists in the getEnumImplementation() function within @orval/core. The x-enumDescriptions field is embedded into generated code without proper escaping, allowing attackers to inject arbitrary TypeScript/JavaScript that executes when the generated schema files are loaded.

A proof-of-concept demonstrates the attack:

yaml

components:
  schemas:
    EvilEnum:
      type: string
      enum:
        - PWNED
      x-enumDescriptions:
        - "pwned */ require('child_process').execSync('id'); /*"

When Orval processes this malicious OpenAPI specification, the injected code breaks out of the enum description context and executes system commands—in this case, running id via Node.js child process.

Supply Chain Implications

The attack vector is particularly dangerous because:

  • Developers often consume third-party OpenAPI specs from external APIs
  • Generated code is typically trusted and not manually reviewed
  • The malicious payload executes automatically when the generated client is imported
  • CI/CD pipelines running code generation could be compromised

This vulnerability is similar to the recently patched CVE-2026-22785, which affected a different code path in Orval's MCP handling. The current flaw was not addressed by that fix.

Remediation

Upgrade to Orval 8.0.2 immediately.

Organizations should also:

  • Audit any OpenAPI specifications sourced from untrusted third parties
  • Review recently generated client code for suspicious patterns
  • Consider validating OpenAPI specs before processing them with code generators

Read more

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

By Zero Day Wire
Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

By Zero Day Wire