The vulnerability identified as CVE-2026-23737 affects the seroval library, a JavaScript serialization tool designed to handle complex data structures beyond standard JSON.stringify capabilities. Versions prior to 1.4.1 contain a critical flaw in the deserialization process within the fromJSON and fromCrossJSON functions. Specifically, the library improperly processes untrusted input during JSON deserialization, allowing attackers to override constant values and error deserialization mechanisms. This manipulation leads to indirect execution of unsafe JavaScript code via unsafe evaluation paths. Exploitation requires an attacker to send at least four carefully crafted requests to the same function and possess partial knowledge of how serialized data is processed at runtime. The vulnerability does not require user interaction but does require low-level privileges to initiate the requests. The impact includes arbitrary code execution on the client or server side, potentially leading to full system compromise, data theft, or service disruption. The vulnerability is categorized under CWE-502 (Deserialization of Untrusted Data) and has a CVSS v3.1 base score of 7.5, indicating high severity. No public exploits have been reported yet, but the risk remains significant due to the nature of the flaw. The issue was addressed and fixed in seroval version 1.4.1, which corrects input handling during deserialization to prevent unsafe code execution.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of systems that utilize the seroval library for client-server JSON data transmission. Successful exploitation could allow attackers to execute arbitrary JavaScript code remotely, potentially leading to unauthorized access, data exfiltration, or disruption of critical services. Organizations relying on web applications or services that incorporate seroval for complex data serialization are particularly vulnerable. The ability to perform multiple requests and partial knowledge requirements lower the barrier for exploitation in targeted attacks, especially in environments where attackers can observe or influence serialized data flows. The impact extends to sectors with high reliance on JavaScript-based technologies, including finance, healthcare, and government services. Given the absence of known exploits, proactive patching and mitigation are crucial to prevent future attacks. Failure to address this vulnerability could result in regulatory penalties under GDPR if personal data is compromised, as well as reputational damage and operational downtime.

European organizations should immediately upgrade all instances of the seroval library to version 1.4.1 or later, where the vulnerability is fixed. Beyond patching, implement strict input validation and sanitization on all client-to-server JSON data transmissions to prevent injection of malicious serialized payloads. Employ runtime application self-protection (RASP) or Web Application Firewalls (WAFs) configured to detect anomalous request patterns indicative of exploitation attempts, such as multiple similar requests targeting deserialization functions. Conduct thorough code reviews and security testing focusing on serialization and deserialization logic, especially where complex data structures are involved. Limit the privileges of processes handling serialized data to reduce the impact of potential code execution. Monitor logs for unusual activity related to the fromJSON and fromCrossJSON functions, including repeated requests or malformed data. Educate developers on secure serialization practices and the risks of unsafe deserialization. Finally, consider implementing Content Security Policy (CSP) headers to mitigate the impact of injected scripts in web contexts.