CVE-2026-24006

Seroval affected by Denial of Service via Deeply Nested Objects

CVSS 7.5 HIGHEPSS 0.4%CWE-770

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

22 jan 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Produtos afetados

lxsmnsyc · seroval

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx