CVE-2024-14031: CWE-1395 Dependency on Vulnerable Third-Party Component in YVES Sereal::Encoder
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
AI Analysis
Technical Summary
Sereal::Encoder versions 4.000 through 4.009_002 include an embedded Zstandard (zstd) library version vulnerable to CVE-2019-11922. This underlying Zstandard vulnerability is a race condition in the one-pass compression functions prior to version 1.3.8, which may allow an attacker to write bytes out of bounds when an output buffer smaller than recommended is used. The vulnerability is categorized under CWE-1395 (Dependency on Vulnerable Third-Party Component). The CVSS v3.1 base score is 8.1, indicating high severity with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts to confidentiality, integrity, and availability.
Potential Impact
The vulnerability allows potential out-of-bounds memory writes during compression operations, which can compromise confidentiality, integrity, and availability of affected systems using the vulnerable Sereal::Encoder versions. This could lead to arbitrary code execution or application crashes depending on exploitation, though no known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor for updates from the YVES project or Sereal::Encoder maintainers. Consider avoiding use of affected versions or replacing the embedded Zstandard library with a fixed version (1.3.8 or later) if feasible.
CVE-2024-14031: CWE-1395 Dependency on Vulnerable Third-Party Component in YVES Sereal::Encoder
Description
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sereal::Encoder versions 4.000 through 4.009_002 include an embedded Zstandard (zstd) library version vulnerable to CVE-2019-11922. This underlying Zstandard vulnerability is a race condition in the one-pass compression functions prior to version 1.3.8, which may allow an attacker to write bytes out of bounds when an output buffer smaller than recommended is used. The vulnerability is categorized under CWE-1395 (Dependency on Vulnerable Third-Party Component). The CVSS v3.1 base score is 8.1, indicating high severity with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts to confidentiality, integrity, and availability.
Potential Impact
The vulnerability allows potential out-of-bounds memory writes during compression operations, which can compromise confidentiality, integrity, and availability of affected systems using the vulnerable Sereal::Encoder versions. This could lead to arbitrary code execution or application crashes depending on exploitation, though no known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor for updates from the YVES project or Sereal::Encoder maintainers. Consider avoiding use of affected versions or replacing the embedded Zstandard library with a fixed version (1.3.8 or later) if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-03-29T15:12:06.674Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69cbb22ae6bfc5ba1d0de955
Added to database: 3/31/2026, 11:38:18 AM
Last enriched: 4/8/2026, 12:10:47 AM
Last updated: 5/15/2026, 8:35:42 PM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.