CVE-2026-23956
Modified Modified - Updated After Analysis

ReDoS and Memory Exhaustion in seroval RegExp Deserialization

Vulnerability report for CVE-2026-23956, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-22

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-22
Last Modified
2026-05-20
Generated
2026-07-06
AI Q&A
2026-01-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lxsmnsyc seroval to 1.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the npm package 'seroval' (versions 1.4.0 and below) involves the overriding of RegExp serialization with extremely large patterns. This can exhaust JavaScript runtime memory during deserialization. Additionally, certain patterns can cause catastrophic backtracking, leading to a Regular Expression Denial of Service (ReDoS) attack. Essentially, attackers can exploit this to cause the application to become unresponsive or crash by sending specially crafted serialized data. [1]

Impact Analysis

The vulnerability can cause a Denial of Service (DoS) by exhausting memory or triggering catastrophic backtracking during deserialization of RegExp patterns. This results in service disruption or application crashes, impacting availability. The attack can be performed remotely without any privileges or user interaction, making it relatively easy to exploit. [1]

Detection Guidance

Detection involves identifying usage of vulnerable seroval versions (<=1.4.0) and monitoring for abnormal memory usage or service disruptions during deserialization of RegExp patterns. You can check the installed seroval version with the command `npm list seroval` or `yarn list seroval`. Additionally, monitoring logs for deserialization errors or unusually high memory consumption during runtime may indicate exploitation attempts. There are no specific detection commands provided for this vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the seroval package to version 1.4.1 or later, where the vulnerability is fixed. Alternatively, you can disable RegExp serialization entirely by using the `disabledFeatures` bitmask with the `Feature.RegExp` flag in the serialization and deserialization methods to prevent exploitation. [1]

Compliance Impact

This vulnerability causes a Denial of Service (DoS) affecting availability but does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data protection such as GDPR or HIPAA, which primarily address confidentiality and integrity. However, the availability impact could indirectly affect compliance if service disruption violates availability requirements in certain regulatory contexts. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart