CVE-2026-23956
ReDoS and Memory Exhaustion in seroval RegExp Deserialization
Publication date: 2026-01-22
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lxsmnsyc | seroval | to 1.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the npm package 'seroval' (versions 1.4.0 and below) involves the overriding of RegExp serialization with extremely large patterns. This can exhaust JavaScript runtime memory during deserialization. Additionally, certain patterns can cause catastrophic backtracking, leading to a Regular Expression Denial of Service (ReDoS) attack. Essentially, attackers can exploit this to cause the application to become unresponsive or crash by sending specially crafted serialized data. [1]
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) by exhausting memory or triggering catastrophic backtracking during deserialization of RegExp patterns. This results in service disruption or application crashes, impacting availability. The attack can be performed remotely without any privileges or user interaction, making it relatively easy to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying usage of vulnerable seroval versions (<=1.4.0) and monitoring for abnormal memory usage or service disruptions during deserialization of RegExp patterns. You can check the installed seroval version with the command `npm list seroval` or `yarn list seroval`. Additionally, monitoring logs for deserialization errors or unusually high memory consumption during runtime may indicate exploitation attempts. There are no specific detection commands provided for this vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the seroval package to version 1.4.1 or later, where the vulnerability is fixed. Alternatively, you can disable RegExp serialization entirely by using the `disabledFeatures` bitmask with the `Feature.RegExp` flag in the serialization and deserialization methods to prevent exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a Denial of Service (DoS) affecting availability but does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data protection such as GDPR or HIPAA, which primarily address confidentiality and integrity. However, the availability impact could indirectly affect compliance if service disruption violates availability requirements in certain regulatory contexts. [1]