CVE-2026-23737

Name of the Vulnerable Software and Affected Versions seroval versions prior to 1.4.0

Description seroval is a JavaScript library that facilitates value stringification, including complex structures beyond the capabilities of JSON.stringify. Improper input handling in the JSON deserialization component in versions 1.4.0 and below can lead to arbitrary JavaScript code execution. This is possible through overriding constant value and error deserialization, which allows indirect access to unsafe JavaScript evaluation. An attacker requires the ability to make at least four separate requests to the same function and partial knowledge of how the serialized data is used during runtime processing. The fromJSON and fromCrossJSON functions are affected in client-to-server transmission scenarios.

Recommendations Update to version 1.4.0 or later.