{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T14:49:06.313Z", "datePublished": "2026-01-22T01:26:53.869Z", "dateUpdated": "2026-01-22T18:56:49.004Z"}, "containers": {"cna": {"title": "seroval is vulnerable to Denial of Service via array serialization", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6"}, {"name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"], "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:26:53.869Z"}, "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1."}], "source": {"advisory": "GHSA-66fc-rw6m-c2q6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T18:56:07.994475Z", "id": "CVE-2026-23957", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T18:56:49.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23957", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T18:56:07.994475Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T18:56:45.897Z"}}], "cna": {"title": "seroval is vulnerable to Denial of Service via array serialization", "source": {"advisory": "GHSA-66fc-rw6m-c2q6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"status": "affected", "version": "< 1.4.1"}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6", "name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:26:53.869Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23957", "state": "PUBLISHED", "dateUpdated": "2026-01-22T18:56:49.004Z", "dateReserved": "2026-01-19T14:49:06.313Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T01:26:53.869Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1."}], "id": "CVE-2026-23957", "lastModified": "2026-01-22T02:15:52.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T02:15:52.470", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}, {"source": "security-advisories@github.com", "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "seroval: Seroval: Denial of Service via large encoded array lengths", "id": "2431914", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431914"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in seroval. A remote attacker can exploit this vulnerability by providing specially crafted input that overrides encoded array lengths with an excessively large value during the deserialization process. This manipulation causes the application to significantly increase processing time, leading to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23957", "public_date": "2026-01-22T01:26:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23957\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23957\nhttps://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060\nhttps://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6"], "statement": "This vulnerability is rated Important for Red Hat because seroval, a JavaScript value stringification library, can be exploited to cause a Denial of Service. An attacker can provide an excessively large value for encoded array lengths during deserialization, leading to a significant increase in processing time. This affects versions 1.4.0 and below of seroval, which is used in components like forgejo in Fedora and EPEL.", "threat_severity": "Important"}

{"created": "2026-01-22T10:08:18.627102+00:00", "updated": "2026-01-22T10:08:18.627129+00:00", "vendors": ["lxsmnsyc", "lxsmnsyc$PRODUCT$seroval"]}