HIGHCVE-2026-24006Published 2026-01-22Modified 2026-01-22CNA GitHub_M

CVE-2026-24006: Seroval affected by Denial of Service via Deeply Nested Objects

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

lxsmnsyc / seroval
< 1.4.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060

Metrics