SCA: security update for @orval/mock (GHSA-f456-rf33-4626)

high Tenable Cloud Security Plugin ID 436899

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification.
Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject
arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties.
These const values are interpolated into the mock scalar generator (getMockScalar in
packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which
results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers.
The vulnerability is similar in impact to the previously reported enum x-enumDescriptions
(GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than
@orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3. (CVE-2026-24132)

See Also

https://github.com/advisories/GHSA-f456-rf33-4626

Plugin Details

Severity: High

ID: 436899

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/22/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-24132

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.7

Threat Score: 5.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/22/2026

Vulnerability Publication Date: 1/22/2026

Reference Information

CVE: CVE-2026-24132