Description
Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This affects only JSON deserialization functionality.
As there is no known workaround, please upgrade to the latest version.
Recommendation
Update the seroval package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
- Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` - CVE-2026-42044
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
- Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042
You might also like:
- Tags:
- npm
- seroval
Anything's wrong? Let us know Last updated on January 22, 2026