CVE-2026-24006
Stack Overflow in Seroval Serialization Causes Denial of Service
Publication date: 2026-01-22
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lxsmnsyc | seroval | to 1.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Denial of Service (DoS) issue in the npm package 'seroval' versions up to 1.4.0. It occurs when serializing objects with extremely deep nesting, which can exceed the maximum call stack limit in JavaScript, causing the application to crash or become unresponsive. Version 1.4.1 introduced a 'depthLimit' parameter to prevent this by throwing an error if the depth limit is exceeded during serialization or deserialization. [1]
How can this vulnerability impact me? :
The vulnerability can cause your application to crash or become unresponsive due to a stack overflow when processing deeply nested objects. This results in a Denial of Service, impacting the availability of your service or application that uses the 'seroval' package. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for application crashes or unresponsiveness caused by serialization of deeply nested objects using seroval versions up to 1.4.0. There are no specific commands provided to detect the vulnerability directly. However, reviewing the seroval package version in use and checking for error logs related to maximum call stack exceeded during serialization can help identify if the vulnerability is being triggered. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the seroval package to version 1.4.1 or later, which introduces a `depthLimit` parameter in serialization and deserialization methods. This parameter enforces a maximum allowed depth and throws an error if exceeded, preventing stack overflow and denial of service. [1]