CVE-2026-23737

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23737

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23737.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23737

Aliases

GHSA-3rxj-6cgf-8cfw

Published

2026-01-21T23:09:34.670Z

Modified

2026-03-14T12:47:17.547304Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

seroval Affected by Remote Code Execution via JSON Deserialization

Details

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23737.json"
}

References

Affected packages

Git / github.com/lxsmnsyc/seroval

Affected ranges

Type: GIT
Repo: https://github.com/lxsmnsyc/seroval
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ce9408ebc87312fcad345a73c172212f2a798060

Affected versions

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.10.4

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.11.4

v0.11.5

v0.11.6

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.13.0

v0.13.1

v0.13.2

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.4.0-alpha.0

v0.4.0-alpha.1

v0.4.0-alpha.10

v0.4.0-alpha.11

v0.4.0-alpha.12

v0.4.0-alpha.13

v0.4.0-alpha.14

v0.4.0-alpha.15

v0.4.0-alpha.16

v0.4.0-alpha.17

v0.4.0-alpha.18

v0.4.0-alpha.2

v0.4.0-alpha.3

v0.4.0-alpha.4

v0.4.0-alpha.5

v0.4.0-alpha.6

v0.4.0-alpha.7

v0.4.0-alpha.8

v0.4.0-alpha.9

v0.4.1

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23737.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "1.4.1"
            }
        ]
    }
]