CVE-2026-23737 – CVE-2026-23737 is a deserialization vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-23737?

CVE-2026-23737 has a CVSS score of 7.5 (HIGH). CVE-2026-23737 is a deserialization vulnerability in seroval library versions 1.4.0 and below that allows arbitrary JavaScript code execution. Attackers can exploit this by sending specially crafted JSON data to the fromJSON or fromCrossJSON functions, potentially leading to remote code execution. This affects applications using seroval for client-to-server data transmission.

📋 TL;DR

CVE-2026-23737 is a deserialization vulnerability in seroval library versions 1.4.0 and below that allows arbitrary JavaScript code execution. Attackers can exploit this by sending specially crafted JSON data to the fromJSON or fromCrossJSON functions, potentially leading to remote code execution. This affects applications using seroval for client-to-server data transmission.

💻 Affected Systems

Products:

seroval

Versions: 1.4.0 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using fromJSON or fromCrossJSON functions with untrusted input in client-to-server scenarios.

📦 What is this software?

Seroval by Lxsmnsyc

View all CVEs affecting Seroval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, allowing attackers to execute arbitrary commands, steal data, or pivot to other systems.

🟠

Likely Case

Data exfiltration, application compromise, or denial of service through malicious code execution in the application context.

🟢

If Mitigated

Limited impact with proper input validation and network segmentation, potentially only affecting isolated application components.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires 4 separate requests and partial knowledge of serialized data usage patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0

Vendor Advisory: https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw

Restart Required: No

Instructions:

1. Update seroval to version 1.4.0 or higher using npm update seroval. 2. Verify the update with npm list seroval. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for JSON data before passing to seroval functions

Function Restriction

all

Disable or restrict usage of fromJSON and fromCrossJSON functions with untrusted input

🧯 If You Can't Patch

Implement strict input validation and sanitization for all JSON data processed by seroval
Network segmentation to isolate affected applications and limit blast radius

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list seroval to verify version is 1.4.0 or below

Check Version:

npm list seroval | grep seroval

Verify Fix Applied:

Confirm seroval version is 1.4.0 or higher using npm list seroval

📡 Detection & Monitoring

Log Indicators:

Multiple rapid calls to fromJSON/fromCrossJSON functions
Unusual error patterns in deserialization logs
Unexpected process spawns from application

Network Indicators:

Multiple JSON payloads sent to same endpoint in quick succession
Unusual data patterns in JSON transmissions

SIEM Query:

source="application_logs" AND (message="*fromJSON*" OR message="*fromCrossJSON*") AND count > 4 within 60s

📊 Metadata

CVE ID: CVE-2026-23737

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.08% exploit probability (23.5th percentile)

Published: January 21, 2026

Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23737, you might also want to check these: