Escargot JS Deserialization Attack Enabling DoS via Process Abort
CVE-2026-25204 Published on April 13, 2026
Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort. This issue affects escarogt prior to commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335
Vulnerability Analysis
CVE-2026-25204 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-25204 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
What is an Object Type Confusion Vulnerability?
The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
CVE-2026-25204 has been classified to as an Object Type Confusion vulnerability or weakness.
Affected Versions
Samsung Open Source Escargot Version 97e8115ab1110bc502b4b5e4a0c689a71520d335 is affected by CVE-2026-25204Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.