Description
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

Seroval, a JavaScript value stringifier, can convert complex data structures in Node.js applications. In versions 1.4.0 and earlier, the serialization process may recurse into a depth that exceeds the JavaScript engine's maximum call stack size, generating an unhandled exception that can crash the runtime. This leads to a denial of service. The issue corresponds to CWE-770, Excessive Resource Consumption.

Affected Systems

The vulnerable product is Seroval, provided by lxsmnsyc. All releases up to and including 1.4.0 are affected; the remediation was added in 1.4.1, which introduces a depthLimit parameter to bound the recursion depth during serialization and deserialization.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is listed as <1%, meaning the likelihood of exploitation is very low. Seroval is not present in CISA’s KEV catalog. The flaw can be triggered by supplying a deeply nested object to any code path that serializes or deserializes user input with Seroval, which may be reachable from remote or local sources. Because the vulnerability causes a stack overflow that crashes the process, it results in service downtime rather than code execution.

Generated by OpenCVE AI on April 18, 2026 at 03:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seroval to version 1.4.1 or newer, where the depthLimit guard is available.
  • Configure the depthLimit parameter when calling serialize() or deserialize() to restrict the maximum nesting depth to a value suitable for your application.
  • Validate incoming data structures before passing them to Seroval, rejecting payloads that exceed an acceptable depth threshold.

Generated by OpenCVE AI on April 18, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3j22-8qj3-26mx Seroval affected by Denial of Service via Deeply Nested Objects
History

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:* cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxsmnsyc
Lxsmnsyc seroval
Vendors & Products Lxsmnsyc
Lxsmnsyc seroval

Thu, 22 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
Title Seroval affected by Denial of Service via Deeply Nested Objects
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lxsmnsyc Seroval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T12:50:51.270Z

Reserved: 2026-01-19T18:49:20.659Z

Link: CVE-2026-24006

cve-icon Vulnrichment

Updated: 2026-01-22T12:50:46.861Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:47.933

Modified: 2026-04-06T13:51:37.490

Link: CVE-2026-24006

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-22T02:32:31Z

Links: CVE-2026-24006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses