CVE-2026-24006
Unknown Unknown - Not Provided
Stack Overflow in Seroval Serialization Causes Denial of Service

Publication date: 2026-01-22

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24006
EUVD
EUVD-2026-4134
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lxsmnsyc seroval to 1.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Denial of Service (DoS) issue in the npm package 'seroval' versions up to 1.4.0. It occurs when serializing objects with extremely deep nesting, which can exceed the maximum call stack limit in JavaScript, causing the application to crash or become unresponsive. Version 1.4.1 introduced a 'depthLimit' parameter to prevent this by throwing an error if the depth limit is exceeded during serialization or deserialization. [1]

Impact Analysis

The vulnerability can cause your application to crash or become unresponsive due to a stack overflow when processing deeply nested objects. This results in a Denial of Service, impacting the availability of your service or application that uses the 'seroval' package. [1]

Detection Guidance

This vulnerability can be detected by monitoring for application crashes or unresponsiveness caused by serialization of deeply nested objects using seroval versions up to 1.4.0. There are no specific commands provided to detect the vulnerability directly. However, reviewing the seroval package version in use and checking for error logs related to maximum call stack exceeded during serialization can help identify if the vulnerability is being triggered. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the seroval package to version 1.4.1 or later, which introduces a `depthLimit` parameter in serialization and deserialization methods. This parameter enforces a maximum allowed depth and throws an error if exceeded, preventing stack overflow and denial of service. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart