CVE-2026-23737
Published: 21 January 2026
Summary
CVE-2026-23737 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Lxsmnsyc Seroval. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization of untrusted data (CWE-502) in fromJSON/fromCrossJSON directly enables remote arbitrary JS code execution on the server via crafted client-to-server payloads, mapping to T1190 (public-facing app exploitation) and T1059.007 (JavaScript interpreter abuse).
NVD Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error…
more
deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
Deeper analysisAI
Seroval is a JavaScript library designed for stringifying JavaScript values, including complex structures beyond the capabilities of JSON.stringify. CVE-2026-23737 affects versions 1.4.0 and below, stemming from improper input handling in the JSON deserialization component, which can lead to arbitrary JavaScript code execution. The vulnerability specifically impacts the fromJSON and fromCrossJSON functions in client-to-server transmission scenarios, classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires attackers to have low privileges (PR:L) and network access (AV:N), but demands high attack complexity (AC:H) with no user interaction needed. At minimum, attackers must perform four separate requests targeting the same function and possess partial knowledge of how the serialized data is processed at runtime. This enables overriding constant values and error deserialization, providing indirect access to unsafe JavaScript evaluation and resulting in high impacts to confidentiality, integrity, and availability.
The issue has been fixed in seroval version 1.4.0. Mitigation involves upgrading to this patched version. Additional details are available in the GitHub security advisory (GHSA-3rxj-6cgf-8cfw) and the associated commit (ce9408ebc87312fcad345a73c172212f2a798060).
Details
- CWE(s)