CVE-2026-23737

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:* - VULNERABLE

< 1.4.0

PoC / Exploit Code

No PoC code available.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23737
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23737
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23737/
[4] VulDB https://vuldb.com/cve/CVE-2026-23737
[5] https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
[6] https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23737", "sourceIdentifier": "[email protected]", "published": "2026-01-21T23:15:52.493", "lastModified": "2026-02-27T19:31:57.527", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0."}, {"lang": "es", "value": "seroval facilita la serialización de valores JS, incluyendo estructuras complejas más allá de las capacidades de JSON.stringify. En las versiones 1.4.0 e inferiores, un manejo inadecuado de la entrada en el componente de deserialización JSON puede llevar a la ejecución arbitraria de código JavaScript. Es posible explotarlo mediante la anulación de la deserialización de valores constantes y errores, permitiendo el acceso indirecto a la evaluación JS insegura. Como mínimo, los atacantes necesitan la capacidad de realizar 4 solicitudes separadas en la misma función, y un conocimiento parcial de cómo se utilizan los datos serializados durante el procesamiento posterior en tiempo de ejecución. Esta vulnerabilidad afecta a las funciones fromJSON y fromCrossJSON en un escenario de transmisión de cliente a servidor. Este problema ha sido solucionado en la versión 1.4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.4.1", "matchCriteriaId": "85760E40-9AB1-40EB-98A1-D1A4411AAFC5"}]}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}