Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
Published: 2026-01-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Seroval enables advanced JavaScript value stringification beyond standard JSON.stringify, but in versions 1.4.0 and earlier it improperly handles input during JSON deserialization. This flaw, a deserialization of untrusted data vulnerability (CWE‑502), allows an attacker to craft payloads that, when processed by the fromJSON or fromCrossJSON functions in a client‑to‑server context, can cause arbitrary JavaScript code to run. The vulnerability requires an attacker to execute four separate requests on the same deserialization function and requires partial knowledge of how the serialized data is later used; successful exploitation would grant the attacker full control over the environment, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The product affected is seroval provided by lxsmnsyc, with vulnerable releases equal to or older than version 1.4.0, used in Node.js applications that perform client‑to‑server transmissions with seroval's fromJSON and fromCrossJSON functions.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is reported as <1%, suggesting the likelihood of exploitation remains low. The vulnerability is not listed in the CISA KEV catalog, and the attacker requires remote access, four staged requests, and knowledge of the serialization format, meaning that operational security controls such as authentication and request rate limiting could mitigate exploitation risk.

Generated by OpenCVE AI on April 18, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade seroval to version 1.4.0 or later, which patches the deserialization bug.
  • Apply authentication and rate limiting to any endpoints that use seroval’s fromJSON or fromCrossJSON to reduce the chance of multi‑step exploitation.
  • Review server‑side code that executes or evals deserialized data and harden or remove unsafe evaluation paths.

Generated by OpenCVE AI on April 18, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3rxj-6cgf-8cfw seroval Affected by Remote Code Execution via JSON Deserialization
History

Fri, 27 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxsmnsyc
Lxsmnsyc seroval
Vendors & Products Lxsmnsyc
Lxsmnsyc seroval

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 21 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
Title seroval Affected by Remote Code Execution via JSON Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Lxsmnsyc Seroval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T21:55:09.152Z

Reserved: 2026-01-15T15:45:01.957Z

Link: CVE-2026-23737

cve-icon Vulnrichment

Updated: 2026-01-22T21:55:04.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T23:15:52.493

Modified: 2026-02-27T19:31:57.527

Link: CVE-2026-23737

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-21T23:09:34Z

Links: CVE-2026-23737 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses