DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9M65-766C-R333: GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start

#security #cve #cybersecurity #ghsa

GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start

Vulnerability ID: GHSA-9M65-766C-R333
CVSS Score: 7.1
Published: 2026-05-14

A type confusion vulnerability in the seroval deserialization library (CWE-843) exposes TanStack Start server functions to unintended sibling function invocation. Upstream, this flaw can lead to remote code execution (CVE-2026-23737).

TL;DR

TanStack Start is vulnerable to deserialization type confusion via the seroval library. Attackers can craft JSON payloads to silently trigger unintended server functions, bypassing request-level middleware and audit logs.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-843
  • Attack Vector: Network
  • Upstream CVSS: 7.1
  • TanStack Start CVSS: Low
  • Impact: Unintended Function Execution / Upstream RCE
  • Exploit Status: Theoretical / Multi-stage

Affected Systems

  • TanStack Start Server Core
  • Seroval Deserialization Library
  • React Server Components utilizing affected TanStack packages
  • Solid Start utilizing affected TanStack packages
  • @tanstack/start-server-core: < 1.167.30 (Fixed in: 1.167.30)
  • seroval: <= 1.5.2 (Fixed in: 1.5.3)

Code Analysis

Commit: ce9408e

Fix internal node type confusion and defense-in-depth measures in seroval.

Mitigation Strategies

  • Upgrade @tanstack/start-server-core to 1.167.30 or higher.
  • Upgrade seroval to 1.5.3 or higher.
  • Enforce strict input validation on all client-exposed server functions.
  • Implement authentication and authorization checks exclusively at the function level via middleware.

Remediation Steps:

  1. Identify all projects utilizing TanStack Start or standalone seroval.
  2. Execute npm install @tanstack/start-server-core@latest seroval@latest to fetch the patched versions.
  3. Verify the dependency tree using npm ls seroval to ensure no transitive dependencies are locking an outdated version.
  4. Audit all createServerFn implementations to confirm the presence of .inputValidator() and .middleware() directives.
  5. Deploy the updated application to all environments.

References

Read the full report for GHSA-9M65-766C-R333 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)