Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Upgrade
AI Analysis

Impact

Seroval, a library used for JavaScript value stringification beyond JSON.stringify, has a flaw in versions 1.4.0 and earlier where overriding RegExp serialization with excessively large patterns can exhaust the JavaScript runtime's memory during deserialization. In addition, tailored RegExp patterns that trigger catastrophic backtracking can cause a Regular Expression Denial of Service, allowing an attacker to disrupt service by simply supplying crafted input that passes through the deserialization process.

Affected Systems

The affected product is Seroval, developed by lxsmnsyc, available as an NPM package for Node.js. Vulnerable versions include 1.4.0 and earlier; any deployment relying on these versions is at risk, particularly those that deserialize user supplied or remote data using the library.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, while the EPSS score of less than 1% suggests a low probability of exploitation at present. Nevertheless, the vulnerability can be triggered easily by providing a specially crafted string to any code that uses Seroval for deserialization, without the need for authentication. The lack of a CISA KEV listing means it has not yet been observed in the wild, but the combination of widespread use of the package and the severe denial of service potential warrants proactive attention.

Generated by OpenCVE AI on April 18, 2026 at 04:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seroval to version 1.4.1 or later to incorporate the fix.
  • Remove or limit custom RegExp serialization when using Seroval, or constrain pattern size to prevent memory exhaustion.
  • Validate or sanitize any data before it is passed to Seroval for deserialization, and avoid deserializing untrusted input whenever possible.

Generated by OpenCVE AI on April 18, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hx9m-jf43-8ffr seroval affected by Denial of Service via RegExp serialization
History

Fri, 27 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:* cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*

Fri, 27 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxsmnsyc
Lxsmnsyc seroval
Vendors & Products Lxsmnsyc
Lxsmnsyc seroval

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 22 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
Title seroval affected by Denial of Service via RegExp serialization
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lxsmnsyc Seroval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T19:15:50.759Z

Reserved: 2026-01-19T14:49:06.312Z

Link: CVE-2026-23956

cve-icon Vulnrichment

Updated: 2026-01-22T19:14:51.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T02:15:52.310

Modified: 2026-02-27T19:33:23.097

Link: CVE-2026-23956

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-22T01:23:58Z

Links: CVE-2026-23956 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses