Intel

AIKIDO-2026-749753

exact-mirror is vulnerable to Code Injection

Code Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

JSexact-mirror
0.0.0 - 1.1.0
Fixed in 1.1.1
Are you affected? Scan for Free

TL;DR

exact-mirror compiles a value-mirroring function from a TypeBox/OpenAPI schema by building JavaScript source and passing it to Function. Schema property names are embedded directly into that generated source, and before the fix non-identifier names were inserted as raw, unescaped string literals via encodeProperty and joinProperty. A property name containing a quote, backtick, or other special character can break out of the literal and inject attacker-controlled JavaScript into the generated function, which executes when the mirror is compiled or invoked. The fix detects safe identifiers with a strict regex and escapes property names with JSON.stringify using bracket access.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and build mirrors from schemas whose property names come from untrusted input.

Background info

exact-mirror is vulnerable to Code Injection in versions 0.0.0 - 1.1.0.

How to fix this

Upgrade the exact-mirror library to the patch version.