GHSA-3rxj-6cgf-8cfw

Source

https://github.com/advisories/GHSA-3rxj-6cgf-8cfw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3rxj-6cgf-8cfw/GHSA-3rxj-6cgf-8cfw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3rxj-6cgf-8cfw

Aliases

CVE-2026-23737

Published

2026-01-21T15:41:22Z

Modified

2026-02-03T03:10:28.864047Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

seroval Affected by Remote Code Execution via JSON Deserialization

Details

Improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution.

The vulnerability can be exploited via overriding constant value and error deserialization, which allows indirect access to unsafe JS evaluation. This requires at least the ability to perform 4 separate requests on the same function and partial knowledge of how the serialized data is used during later runtime processing.

This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario.

No known workarounds or mitigations are known, so please upgrade to the patched version.

Database specific

{
    "github_reviewed_at": "2026-01-21T15:41:22Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2026-01-21T23:15:52Z"
}

References

Affected packages

npm / seroval

Package

Name: seroval; View open source insights on deps.dev
Purl: pkg:npm/seroval

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3rxj-6cgf-8cfw/GHSA-3rxj-6cgf-8cfw.json"