CVE-2024-14030: CWE-1395 Dependency on Vulnerable Third-Party Component in YVES Sereal::Decoder
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
AI Analysis
Technical Summary
Sereal::Decoder versions 4.000 through 4.009_002 embed a vulnerable version of the Zstandard compression library that is affected by CVE-2019-11922. This underlying vulnerability is a race condition in the one-pass compression functions of zstd prior to version 1.3.8, which can lead to out-of-bounds writes when the output buffer is smaller than recommended. This dependency on a vulnerable third-party component (CWE-1395) exposes Sereal::Decoder to potential memory corruption issues. The vulnerability has a CVSS v3.1 base score of 8.1, reflecting a high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring no privileges or user interaction.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to cause out-of-bounds memory writes, potentially leading to arbitrary code execution, data corruption, or denial of service. The high CVSS score reflects the critical impact on confidentiality, integrity, and availability. However, no known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor vendor communications for updates. Avoid using affected versions if possible or apply mitigations recommended by the vendor once available.
CVE-2024-14030: CWE-1395 Dependency on Vulnerable Third-Party Component in YVES Sereal::Decoder
Description
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sereal::Decoder versions 4.000 through 4.009_002 embed a vulnerable version of the Zstandard compression library that is affected by CVE-2019-11922. This underlying vulnerability is a race condition in the one-pass compression functions of zstd prior to version 1.3.8, which can lead to out-of-bounds writes when the output buffer is smaller than recommended. This dependency on a vulnerable third-party component (CWE-1395) exposes Sereal::Decoder to potential memory corruption issues. The vulnerability has a CVSS v3.1 base score of 8.1, reflecting a high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring no privileges or user interaction.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to cause out-of-bounds memory writes, potentially leading to arbitrary code execution, data corruption, or denial of service. The high CVSS score reflects the critical impact on confidentiality, integrity, and availability. However, no known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor vendor communications for updates. Avoid using affected versions if possible or apply mitigations recommended by the vendor once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-03-28T19:49:07.023Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69cbb22ae6bfc5ba1d0de950
Added to database: 3/31/2026, 11:38:18 AM
Last enriched: 4/8/2026, 12:10:40 AM
Last updated: 5/15/2026, 8:36:18 PM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.