Platform
nodejs
Component
@orpc/openapi
Fixed in
1.13.10
1.13.9
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the OpenAPI documentation generation functionality of the @orpc/openapi library. This vulnerability allows attackers to inject malicious JavaScript code into the generated API documentation by manipulating fields within the OpenAPI specification, such as the info.description field. Affected versions are those prior to 1.13.9. A fix is available in version 1.13.9.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser when they view the generated API documentation. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the API documentation. The attacker's ability to control the JavaScript payload provides significant flexibility in the attack, enabling them to target specific user actions or data. The impact is amplified if the API documentation is publicly accessible or widely distributed.
This vulnerability was publicly disclosed on 2026-03-20. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, it is recommended to prioritize remediation.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33331 is to upgrade to version 1.13.9 or later of the @orpc/openapi library. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any user-controlled data used within the OpenAPI specification. Specifically, carefully scrutinize the info.description field and other potentially vulnerable fields. While not a direct fix, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the API documentation endpoint could provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the info.description field and confirming that it is not executed when viewing the generated documentation.
Actualice oRPC a la versión 1.13.9 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en la generación de documentación OpenAPI. La actualización evitará que un atacante controle campos dentro de la especificación OpenAPI y ejecute JavaScript arbitrario cuando un usuario vea la documentación generada.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33331 is a Stored Cross-Site Scripting (XSS) vulnerability in the OpenAPI documentation generation of @orpc/openapi, allowing attackers to inject JavaScript via the OpenAPI specification.
You are affected if you are using @orpc/openapi versions prior to 1.13.9 and are vulnerable to XSS attacks through the API documentation.
Upgrade to version 1.13.9 or later of @orpc/openapi. Implement input validation on user-controlled data within the OpenAPI specification.
No active exploitation has been confirmed at this time, but the vulnerability is considered high severity and should be addressed promptly.
Refer to the @orpc/openapi project's repository or website for the official advisory and release notes related to this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.