Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Seroval, a library that stringifies JavaScript values beyond JSON.stringify capabilities, has a flaw that affects versions 0.2.0 through 1.4.0. The vulnerability is an instance of CWE-1333, runtime memory exhaustion caused by catastrophically large or backtracking‑heavy regular expressions. An attacker can override RegExp serialization with an extremely large pattern or a pattern designed for catastrophic backtracking, causing the JavaScript runtime to exhaust memory during deserialization and resulting in a denial of service. These flaws can be triggered simply by supplying crafted input to the deserialization process, without authentication, and were fixed in version 1.4.1.

Affected Systems

The library Seroval is published by lxsmnsyc as an NPM package for Node.js. Vulnerable releases span 0.2.0 to 1.4.0. Any installations using those versions that perform deserialization of external or user‑supplied data are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, while the EPSS score of less than 1% suggests a low probability of exploitation at present. Nevertheless, the vulnerability can be triggered easily by providing a specially crafted string to any code that uses Seroval for deserialization, without the need for authentication. The lack of a CISA KEV listing means it has not yet been observed in the wild, but the combination of widespread use of the package and the severe denial of service potential warrants proactive attention.

Generated by OpenCVE AI on May 20, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seroval to version 1.4.1 or later to incorporate the fix.
  • Remove or limit custom RegExp serialization when using Seroval, or constrain pattern size to prevent memory exhaustion.
  • Validate or sanitize any data before it is passed to Seroval for deserialization, and avoid deserializing untrusted input whenever possible.

Generated by OpenCVE AI on May 20, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hx9m-jf43-8ffr seroval affected by Denial of Service via RegExp serialization
History

Wed, 20 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1. seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
References

Fri, 27 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:* cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*

Fri, 27 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxsmnsyc
Lxsmnsyc seroval
Vendors & Products Lxsmnsyc
Lxsmnsyc seroval

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 22 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
Title seroval affected by Denial of Service via RegExp serialization
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lxsmnsyc Seroval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T00:53:15.264Z

Reserved: 2026-01-19T14:49:06.312Z

Link: CVE-2026-23956

cve-icon Vulnrichment

Updated: 2026-01-22T19:14:51.927Z

cve-icon NVD

Status : Modified

Published: 2026-01-22T02:15:52.310

Modified: 2026-05-20T02:16:35.403

Link: CVE-2026-23956

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-22T01:23:58Z

Links: CVE-2026-23956 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T03:00:12Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity