CVE-2026-23736 Overview
CVE-2026-23736 is an Insecure Deserialization vulnerability affecting the seroval JavaScript library, which facilitates JS value stringification including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input validation allows a malicious object key to trigger prototype pollution during JSON deserialization. This vulnerability specifically affects the JSON deserialization functionality of the library.
Critical Impact
Prototype pollution vulnerabilities can allow attackers to manipulate application logic, bypass security checks, or achieve remote code execution by injecting properties into JavaScript object prototypes that propagate throughout the application.
Affected Products
- seroval versions 1.4.0 and below
- Applications using seroval's fromJSON() deserialization functionality
- Node.js and browser environments utilizing seroval for JSON serialization
Discovery Timeline
- 2026-01-21 - CVE CVE-2026-23736 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-23736
Vulnerability Analysis
This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. The seroval library provides advanced serialization capabilities that extend beyond native JSON.stringify, handling complex JavaScript structures including Promises, references, and circular dependencies. However, versions 1.4.0 and below fail to properly validate object keys during the deserialization process via the fromJSON() function.
The attack vector is network-based, requiring no privileges or user interaction, which allows remote attackers to exploit this vulnerability by crafting malicious JSON payloads. When these payloads contain specially crafted object keys such as __proto__, constructor, or prototype, the deserialization process inadvertently modifies the Object prototype chain.
Root Cause
The root cause lies in improper input validation within the JSON deserialization logic. The library fails to sanitize or reject dangerous object keys that can modify prototype chains. When processing incoming JSON data, seroval directly assigns properties without checking whether keys represent prototype properties, allowing attackers to inject arbitrary properties into Object.prototype.
Attack Vector
Attackers can exploit this vulnerability by sending maliciously crafted JSON payloads to applications using seroval's fromJSON() function. The attack requires:
- Network access to an application endpoint that deserializes user-supplied JSON via seroval
- A crafted payload containing prototype-polluting keys (e.g., __proto__)
- No authentication or user interaction required
The security patch addresses this by implementing proper key validation during deserialization:
SerovalNodeType.RegExp,
id,
NIL,
- NIL,
serializeString(current.source),
current.flags,
NIL,
Source: GitHub Commit Update
Detection Methods for CVE-2026-23736
Indicators of Compromise
- Unexpected properties appearing on native JavaScript objects (Object, Array, Function prototypes)
- Application behavior changes due to polluted prototype properties
- Unusual JSON payloads in request logs containing __proto__, constructor, or prototype keys
- Stack traces showing prototype-related errors in seroval deserialization functions
Detection Strategies
- Implement application-level logging to capture JSON payloads processed through seroval's fromJSON() function
- Deploy web application firewall (WAF) rules to detect and block requests containing prototype pollution patterns
- Use runtime application self-protection (RASP) solutions to monitor prototype modifications
- Perform dependency scanning to identify vulnerable seroval versions in your codebase
Monitoring Recommendations
- Monitor application logs for deserialization errors or unexpected object property access patterns
- Set up alerts for suspicious JSON payloads containing prototype-related keys in request bodies
- Implement integrity checks on critical Object prototype properties to detect unauthorized modifications
- Use SentinelOne's Singularity platform to monitor for exploitation attempts and runtime anomalies
How to Mitigate CVE-2026-23736
Immediate Actions Required
- Upgrade seroval to version 1.4.1 or later immediately
- Audit your codebase for all usages of seroval's fromJSON() function
- Implement input validation on all JSON data before deserialization
- Consider freezing critical Object prototypes using Object.freeze(Object.prototype) as a defense-in-depth measure
Patch Information
The vulnerability has been fixed in seroval version 1.4.1. The security patch is available via the GitHub Commit. Full details about the vulnerability and remediation are documented in the GitHub Security Advisory GHSA-hj76-42vx-jwp4.
Workarounds
- If immediate upgrade is not possible, implement custom input sanitization to filter object keys containing __proto__, constructor, or prototype before passing data to seroval
- Use a JSON schema validator to restrict allowed keys in incoming JSON payloads
- Isolate seroval deserialization operations in sandboxed environments where prototype pollution cannot affect critical application logic
- Consider temporarily replacing seroval with native JSON.parse() for simple use cases that don't require advanced serialization features
# Update seroval to the patched version
npm update seroval@1.4.1
# Or specify the exact version in package.json
npm install seroval@^1.4.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
