GHSA-hj76-42vx-jwp4

Suggest an improvement
Source
https://github.com/advisories/GHSA-hj76-42vx-jwp4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-hj76-42vx-jwp4/GHSA-hj76-42vx-jwp4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hj76-42vx-jwp4
Aliases
Published
2026-01-21T15:41:14Z
Modified
2026-02-03T03:10:36.393960Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
seroval Affected by Prototype Pollution via JSON Deserialization
Details

Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This affects only JSON deserialization functionality.

As there is no known workaround, please upgrade to the latest version.

Database specific 
{
    "github_reviewed_at": "2026-01-21T15:41:14Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1321"
    ],
    "nvd_published_at": "2026-01-21T23:15:52Z",
    "severity": "HIGH"
}
References

Affected packages

npm / seroval

Package

Name
seroval
View open source insights on deps.dev
Purl
pkg:npm/seroval

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-hj76-42vx-jwp4/GHSA-hj76-42vx-jwp4.json"