CVE-2026-24006
HIGHseroval < 1.4.1 - Denial of Service via Deep Object Serialization
Title source: llmDescription
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx
Scores
CVSS v3
7.5
EPSS
0.0040
EPSS Percentile
31.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
lxsmnsyc/seroval
< 1.4.1 (2 CPE variants)
npm/seroval
0 - 1.4.1npm
Published
Jan 22, 2026
Tracked Since
Feb 18, 2026