CVE-2026-23956
Modified Modified - Updated After Analysis
ReDoS and Memory Exhaustion in seroval RegExp Deserialization

Publication date: 2026-01-22

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23956
EUVD
EUVD-2026-3669
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lxsmnsyc seroval to 1.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the npm package 'seroval' (versions 1.4.0 and below) involves the overriding of RegExp serialization with extremely large patterns. This can exhaust JavaScript runtime memory during deserialization. Additionally, certain patterns can cause catastrophic backtracking, leading to a Regular Expression Denial of Service (ReDoS) attack. Essentially, attackers can exploit this to cause the application to become unresponsive or crash by sending specially crafted serialized data. [1]

Impact Analysis

The vulnerability can cause a Denial of Service (DoS) by exhausting memory or triggering catastrophic backtracking during deserialization of RegExp patterns. This results in service disruption or application crashes, impacting availability. The attack can be performed remotely without any privileges or user interaction, making it relatively easy to exploit. [1]

Detection Guidance

Detection involves identifying usage of vulnerable seroval versions (<=1.4.0) and monitoring for abnormal memory usage or service disruptions during deserialization of RegExp patterns. You can check the installed seroval version with the command `npm list seroval` or `yarn list seroval`. Additionally, monitoring logs for deserialization errors or unusually high memory consumption during runtime may indicate exploitation attempts. There are no specific detection commands provided for this vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the seroval package to version 1.4.1 or later, where the vulnerability is fixed. Alternatively, you can disable RegExp serialization entirely by using the `disabledFeatures` bitmask with the `Feature.RegExp` flag in the serialization and deserialization methods to prevent exploitation. [1]

Compliance Impact

This vulnerability causes a Denial of Service (DoS) affecting availability but does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data protection such as GDPR or HIPAA, which primarily address confidentiality and integrity. However, the availability impact could indirectly affect compliance if service disruption violates availability requirements in certain regulatory contexts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart