Skip to main content

CVE-2026-33331

| EUVDEUVD-2026-14179 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 https://github.com/middleapi/orpc GHSA-7f6v-3gx7-27q8 GHSA-cqr2-w8jq-c675 GHSA-w5g8-5849-vj76
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 17:30 euvd
EUVD-2026-14179
Analysis Generated
Mar 20, 2026 - 17:30 vuln.today
CVE Published
Mar 20, 2026 - 17:25 nvd
HIGH 8.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 npm packages depend on @orpc/openapi (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.13.9.

DescriptionGitHub Advisory

A Stored Cross-Site Scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. In the packages/openapi/src/plugins/openapi-reference.ts file, the renderDocsHtml() function takes an OpenAPI spec object and embeds it directly into the HTML response using a template literal:

<script id="spec" type="application/json">${JSON.stringify(spec)}</script>

The JSON.stringify() function does not escape HTML characters like < or >. Therefore, if an attacker provides a string containing </script><script>..., the browser will prematurely close the application/json script block and execute the subsequent malicious script block.

Proof of Concept (PoC)

  1. Create an API router with orpc and configure the OpenAPI plugin.
  2. In the API specification, inject a malicious payload into a field like description:
{
info: {
title: "My API",
version: "1.0.0",
description: "</script><script>alert('XSS executed on ' + document.domain)</script>"
}
}
  1. Generate and serve the documentation HTML.
  2. When a developer or user navigates to the API documentation URL, the browser parses the HTML, breaks out of the JSON block, and immediately executes the alert() payload.

Impact

If an application generates its OpenAPI specifications dynamically based on user-controlled inputs (or if a rogue developer modifies the spec), it leads to Stored XSS. When an administrator or developer views the API docs, the script executes in their browser, potentially leading to session hijacking or unauthorized API calls on their behalf.

Remediation

Do not use raw JSON.stringify() to embed data directly into HTML templates. Instead, safely serialize the JSON by escaping HTML-sensitive characters (like < and >) or use a secure HTML serialization library (such as serialize-javascript or devalue) before embedding it into the <script> tag.

Disclosure & Credits

If this report is helpful, I kindly request that you publish this as a formal GitHub Security Advisory and assign me credit for the discovery. Thank you for maintaining this project!

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the orpc OpenAPI documentation generation functionality, affecting the @orpc/openapi npm package. Attackers who can control OpenAPI specification fields (such as info.description) can inject malicious JavaScript that executes when users view the generated API documentation. A working proof-of-concept exists demonstrating payload injection through specification metadata fields, and while CVSS scores this at 8.2 (High), the network-accessible attack vector with no privileges required increases real-world risk.

Technical ContextAI

This vulnerability affects the @orpc/openapi npm package (pkg:npm/@orpc_openapi) and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw exists in the renderDocsHtml() function within packages/openapi/src/plugins/openapi-reference.ts, where OpenAPI specification objects are embedded directly into HTML templates using JSON.stringify() within script tags. Because JSON.stringify() does not escape HTML-sensitive characters like angle brackets, an attacker can inject sequences such as '</script><script>' to break out of the intended application/json context and introduce executable JavaScript code. This is a classic context-switching XSS vulnerability where data transitions from JSON to HTML without proper sanitization at the boundary.

RemediationAI

Replace the vulnerable JSON.stringify() implementation with a secure HTML serialization approach that properly escapes HTML-sensitive characters before embedding JSON into script tags. Developers should use established libraries such as serialize-javascript or devalue that handle context-appropriate escaping for embedding data in HTML. Alternatively, implement manual escaping of characters like '<', '>', and '&' within JSON strings before insertion into the HTML template. Consult the official GitHub Security Advisory at https://github.com/middleapi/orpc/security/advisories/GHSA-7f6v-3gx7-27q8 for patched versions and upgrade guidance. Until patching is possible, implement input validation and sanitization for all OpenAPI specification fields, restrict specification authoring permissions to trusted developers only, and consider serving API documentation on a separate domain to limit the impact of potential XSS through browser same-origin policy isolation.

Share

CVE-2026-33331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy