CVE-2026-23956
HIGHseroval 0.2.0-1.4.0 - Regular Expression Denial of Service via RegExp Serialization Override
Title source: llmDescription
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr
Patch x_refsource_misc
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
X_Refsource_Misc x_refsource_misc
https://github.com/lxsmnsyc/seroval/blob/v0.2.0/packages/seroval/src/index.ts#L90
Scores
CVSS v3
7.5
EPSS
0.0048
EPSS Percentile
37.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
Status
published
Products (3)
lxsmnsyc/seroval
< 1.4.1 (2 CPE variants)
lxsmnsyc/seroval
>= 0.2.0, < 1.4.1
npm/seroval
0.2.0 - 1.4.1npm
Published
Jan 22, 2026
Tracked Since
Feb 18, 2026