Seroval Remote Code Execution Vulnerability via JSON Deserialization
Vulnerability
A remote code execution vulnerability exists in the Seroval library, specifically in versions through 1.4.0. The issue arises from improper input handling in the JSON deserialization process, which can be exploited to execute arbitrary JavaScript code. Exploitation involves overriding constant values and error deserialization, allowing indirect access to unsafe JavaScript evaluation. To successfully exploit this vulnerability, an attacker must make at least four separate requests to the same function and have partial knowledge of how the serialized data is processed at runtime. This vulnerability impacts the 'fromJSON' and 'fromCrossJSON' functions during client-to-server data transmission.
Impact
Exploitation of this vulnerability allows for arbitrary JavaScript code execution on the server.
Remediation
Users are advised to upgrade to Seroval version 1.4.1 or later, as this vulnerability has been patched in these versions.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.