GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start

GHSA-9M65-766C-R333 affects the server core of the TanStack Start framework. The vulnerability originates from an upstream type-confusion flaw in the seroval library (GHSA-3rxj-6cgf-8cfw / CVE-2026-23737). TanStack Start relies on seroval to serialize and deserialize complex JavaScript values, including cyclical references and Promises, traversing the client-server boundary.

The attack surface is exposed through any server function endpoint that accepts JSON payloads. An attacker can craft a specific JSON payload designed to confuse the internal node types during the deserialization phase. This confusion overrides expected object boundaries and internal references within the deserialization state.

In the context of TanStack Start, this deserialization failure triggers the execution of unintended "sibling" server functions referenced within the same client bundle. The primary impact is the unauthorized invocation of these functions. Upstream, in standalone deployments of seroval, the type confusion is categorized as a Remote Code Execution (RCE) vulnerability.

The root cause is a Type Confusion flaw (CWE-843) located in the fromJSON and fromCrossJSON functions of the seroval library. seroval utilizes a highly specialized custom format to represent object graphs that standard JSON.parse cannot natively support. This format relies on internal node types to reconstruct references, symbols, and deeply nested specialized objects.

The vulnerability manifests when an incoming JSON body mimics these internal seroval node types, such as reference identifiers or plugin-specific headers. The deserializer processes the unvalidated input and assigns the attacker-controlled types to the internal state tracking mechanism. This effectively corrupts the internal dictionary used to resolve object references during reconstruction.

When the compromised state is processed, the deserializer resolves references incorrectly. In TanStack Start, this manipulation allows the attacker to alias the requested server function (Function A) to a different, secondary function (Function B) during the object reconstruction phase. The framework then executes Function B instead of, or alongside, Function A.

This execution bypasses request-level middleware. Because the HTTP request originally targeted Function A, request-level logging and security filters execute against Function A's context. The transition to Function B occurs purely within the deserialization state, rendering the invocation of Function B invisible to higher-level routing controls.

The flaw resides in the lack of boundary validation between public data payloads and internal structural definitions within seroval. The parser blindly trusts specific key patterns mapping to node types. When an attacker provides these keys inside the JSON body, the parser shifts its state machine inappropriately.

The fix, introduced in seroval commit ce9408ebc87312fcad345a73c172212f2a798060, implements defense-in-depth measures against internal node type spoofing. The patch hardens the fromJSON and fromCrossJSON parsing routines by strictly isolating internal tracking data from user-supplied values.

// Conceptual representation of the patch logic
function deserializeNode(node, context) {
  // Pre-patch: direct reliance on node.type
  // Post-patch: validate that user input cannot instantiate internal types
  if (isInternalReservedType(node.type) && !context.isTrustedOrigin) {
    throw new Error("Invalid node type encountered");
  }
  // Proceed with safe deserialization
}

By enforcing these boundary checks, the parser prevents external JSON from dictating the internal reference state. This completely halts the type confusion, ensuring that references mapped during object reconstruction exclusively point to the data intended by the original server-side serialization.

Exploitation requires the attacker to identify a target TanStack Start application exposing server functions to the client. The attacker must understand the specific internal representation seroval uses for references and construct a JSON payload that encodes these structures.

For the TanStack Start sibling-function invocation, the attacker sends a single HTTP request targeting an open server function. The payload is crafted to overwrite the internal reference pointer of the target function with the reference pointer of the desired secondary function. The framework deserializes the request, resolves the manipulated pointer, and executes the secondary function.

Exploiting the standalone seroval vulnerability for Remote Code Execution (RCE) is significantly more complex. The upstream advisory indicates that achieving RCE requires at least four separate, coordinated requests. The attacker must progressively override constant values and manipulate error deserialization routines to establish the state required for unsafe JavaScript evaluation.

While the request-level middleware is bypassed during the TanStack Start exploit, the function-specific middleware of the secondary function is still invoked. If the secondary function utilizes .middleware() for authentication or .inputValidator() for schema validation, these checks will execute against the attacker's payload. A successful attack relies on the secondary function either lacking these checks or the attacker providing data that satisfies them.

The concrete security impact depends entirely on the architecture of the target application. In TanStack Start, the attacker gains the ability to execute "client-referenced" server functions. These are functions explicitly exposed to the client bundle. Functions marked strictly as server-only (isClientReferenced: false) remain unreachable via this vector.

If the application exposes sensitive state-mutating functions (e.g., database updates, user role modifications) without strict function-level authorization and validation, the attacker can trigger these actions unauthorized. The bypass of request-level middleware means standard HTTP access logs will only show activity against the benign initial endpoint, severely degrading observability and complicating incident response.

The maintainers of TanStack Start assess the vulnerability severity as Low (CVSS v4.0: 0.0 to 3.9 range conceptually, noted as Low) due to the requirement for applications to possess poorly configured secondary functions. The function-level middleware must be deficient for the attacker to achieve meaningful impact.

Conversely, the upstream vulnerability in seroval (GHSA-3rxj-6cgf-8cfw) carries a High CVSS v3.1 score of 7.1. This higher score reflects the theoretical capability to achieve Remote Code Execution in non-sandboxed environments that utilize seroval without the contextual protections provided by the TanStack Start framework.

The primary and complete remediation strategy is to upgrade the affected packages to their patched versions. Administrators must upgrade @tanstack/start-server-core to version 1.167.30 or later. This release enforces a dependency on seroval version 1.5.3, which contains the comprehensive fix for the type confusion flaw.

In environments where immediate patching is not technically feasible, developers must enforce strict defense-in-depth measures on all client-exposed functions. Every createServerFn must implement rigid schema validation using .inputValidator(...) with a library like Zod. This ensures that any manipulated deserialized data fails validation before execution.

Furthermore, developers must verify that authorization logic is implemented at the function level. Relying on request-level middleware or global routing rules is insufficient to protect against this flaw. All privileged actions must utilize .middleware([...]) checks to explicitly verify the context and authorization state of the invocation.