seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
References
| Link | Resource |
|---|---|
| https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 | Patch |
| https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr | Mitigation Vendor Advisory |
Configurations
History
27 Feb 2026, 19:33
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:* |
27 Feb 2026, 15:31
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:* | |
| References | () https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 - Patch | |
| References | () https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr - Mitigation, Vendor Advisory | |
| First Time |
Lxsmnsyc seroval
Lxsmnsyc |
22 Jan 2026, 02:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-22 02:15
Updated : 2026-02-27 19:33
NVD link : CVE-2026-23956
Mitre link : CVE-2026-23956
CVE.ORG link : CVE-2026-23956
JSON object : View
Products Affected
lxsmnsyc
- seroval
CWE
CWE-1333
Inefficient Regular Expression Complexity