Volerion logoVolerion
Volerion logoVolerion

Seroval Prototype Pollution Vulnerability in JSON Deserialization

Vulnerability

A prototype pollution vulnerability has been identified in the Seroval package, specifically in versions through 1.4.0. This issue arises from inadequate input validation, allowing a malicious object key to manipulate the prototype during JSON deserialization. The vulnerability is confined to the JSON deserialization feature.

Impact

Exploitation of this vulnerability leads to prototype pollution, which can allow an attacker to modify an object's prototype, potentially leading to unexpected behavior in the application or the introduction of further vulnerabilities.

Reproduction

The vulnerability can be reproduced by using Seroval version 1.4.0 or earlier and providing a malicious object key that exploits the input validation flaw during JSON deserialization. This can be done by creating a JSON object that includes the malicious key and then using Seroval to deserialize it, which will trigger the prototype pollution.

Remediation

Users are advised to upgrade to Seroval version 1.4.1 or later, where this vulnerability has been patched.

Added: Jan 21, 2026, 11:24 PM
Updated: Jan 21, 2026, 11:24 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
5.0
exploitability
8.4
remediation
0.0
relevance
2.1
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.