CVE-2026-23956

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23956
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/lxsmnsyc/seroval/blob/v0.2.0/packages/seroval/src/index.ts#L90
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 Patch
https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*
History

20 May 2026, 02:16

Type Values Removed Values Added
References
  • () https://github.com/lxsmnsyc/seroval/blob/v0.2.0/packages/seroval/src/index.ts#L90 -
Summary
  • (es) seroval facilita la serialización de valores JS, incluyendo estructuras complejas que van más allá de las capacidades de JSON.stringify. En las versiones 1.4.0 y anteriores, la anulación de la serialización de RegExp con patrones extremadamente grandes puede agotar la memoria en tiempo de ejecución de JavaScript durante la deserialización. Además, la anulación de la serialización de RegExp con patrones que desencadenan un retroceso catastrófico puede conducir a ReDoS (Denegación de Servicio por Expresiones Regulares). Este problema ha sido solucionado en la versión 1.4.1.
Summary (en) seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1. (en) seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

27 Feb 2026, 19:33

Type Values Removed Values Added
CPE cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:* cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*

27 Feb 2026, 15:31

Type Values Removed Values Added
CPE cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:*
References () https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 - () https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 - Patch
References () https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr - () https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr - Mitigation, Vendor Advisory
First Time Lxsmnsyc seroval
Lxsmnsyc

22 Jan 2026, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-22 02:15

Updated : 2026-05-20 02:16

NVD link : CVE-2026-23956

Mitre link : CVE-2026-23956

CVE.ORG link : CVE-2026-23956

JSON object : View

Products Affected

lxsmnsyc

  • seroval
CWE
CWE-1333

Inefficient Regular Expression Complexity