Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.
Published: 2026-01-21
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution via JSON Deserialization
Action: Apply Patch
AI Analysis

Impact

The flaw arises because seroval does not validate object keys during JSON deserialization. An attacker can supply a key that targets internal prototype properties, such as __proto__ or constructor, causing those properties to be overwritten on the Object prototype. This prototype pollution can alter the behavior of any subsequent code that runs in the same JavaScript process.

Affected Systems

The vulnerable versions of lxsmnsyc's seroval library (1.4.0 and earlier) are used in Node.js applications. All installations of seroval up to 1.4.0 are affected, while releases starting with 1.4.1 contain the patch.

Risk and Exploitability

The CVSS score is 7.3, indicating a high impact, and the EPSS score is below 1%, suggesting that exploitation attempts are currently rare. The vulnerability is not listed in CISA's KEV catalog. Attackers can trigger the flaw by supplying crafted JSON to any code path that invokes seroval's deserialize function; privileged input is not required.

Generated by OpenCVE AI on April 18, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade seroval to version 1.4.1 or later to apply the vendor fix.
  • Validate JSON input against a schema that excludes prototype keys before calling deserialize.
  • Audit your code to ensure the library is used only with trusted data and consider limiting its usage to protected contexts.

Generated by OpenCVE AI on April 18, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hj76-42vx-jwp4 seroval Affected by Prototype Pollution via JSON Deserialization
History

Fri, 27 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxsmnsyc
Lxsmnsyc seroval
Vendors & Products Lxsmnsyc
Lxsmnsyc seroval

Thu, 22 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 21 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.
Title seroval Affected by Prototype Pollution via JSON Deserialization
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Lxsmnsyc Seroval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T14:45:53.950Z

Reserved: 2026-01-15T15:45:01.957Z

Link: CVE-2026-23736

cve-icon Vulnrichment

Updated: 2026-01-22T14:45:51.268Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T23:15:52.340

Modified: 2026-02-27T19:36:50.543

Link: CVE-2026-23736

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-21T23:01:10Z

Links: CVE-2026-23736 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses