The vulnerability CVE-2026-23737 affects the seroval library, a tool designed to facilitate JavaScript value stringification and deserialization beyond the capabilities of JSON.stringify. Versions prior to 1.4.1 contain a critical flaw in the deserialization logic within the fromJSON and fromCrossJSON functions. Specifically, the library improperly handles untrusted input during deserialization, allowing attackers to manipulate constant values and error objects. This manipulation leads to indirect invocation of unsafe JavaScript evaluation, effectively enabling arbitrary code execution on the server. Exploitation requires an attacker to perform at least four distinct requests targeting the same deserialization function and to have partial insight into how the serialized data is processed at runtime. The attack vector is network-based, with no user interaction required, but low privileges and the ability to send crafted requests are necessary. The vulnerability impacts confidentiality, integrity, and availability, as arbitrary code execution can lead to data leakage, unauthorized modifications, or service disruption. The flaw has been addressed in seroval version 1.4.1, which corrects the input handling and deserialization process to prevent unsafe evaluation. No public exploits have been reported yet, but the high CVSS score of 7.5 reflects the significant risk posed by this vulnerability.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on the seroval library in client-server architectures where serialized JavaScript data is exchanged. Successful exploitation can lead to full compromise of affected servers, resulting in unauthorized data access, data manipulation, or denial of service. Sectors with sensitive data such as finance, healthcare, and government services are particularly vulnerable due to the potential for data breaches and operational disruption. The requirement for multiple crafted requests and partial knowledge of serialized data may limit opportunistic attacks but does not prevent targeted intrusions. Given the widespread use of JavaScript serialization libraries in web applications, organizations using outdated seroval versions could face significant exposure. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within networks, increasing the overall threat landscape. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity necessitates urgent attention.

European organizations should immediately upgrade all instances of the seroval library to version 1.4.1 or later to eliminate the vulnerability. Beyond patching, it is critical to implement strict input validation and sanitization on all serialized data received from clients, ensuring that only expected data types and structures are processed. Employing runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block anomalous deserialization requests can provide additional defense layers. Monitoring network traffic for patterns indicative of repeated crafted requests targeting deserialization functions can help identify attempted exploitation. Organizations should also conduct code audits to identify any custom deserialization logic that might be vulnerable and apply similar hardening measures. Finally, enforcing the principle of least privilege on services handling deserialization can limit the impact of potential exploitation.