GHSA-hx9m-jf43-8ffrHighCVSS 7.5
seroval affected by Denial of Service via RegExp serialization
🔗 CVE IDs covered (1)
📋 Description
Overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service).
Mitigation:
Seroval introduces disabledFeatures (a bitmask) in serialization/deserialization methods, with Feature.RegExp as a dedicated flag. Users are recommended to configure disabledFeatures to disable RegExp serialization entirely.
🎯 Affected products1
- npm/seroval:>= 0.2.0, <= 1.4.0
🔗 References (5)
- https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr
- https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
- https://nvd.nist.gov/vuln/detail/CVE-2026-23956
- https://github.com/lxsmnsyc/seroval/blob/v0.2.0/packages/seroval/src/index.ts#L90
- https://github.com/advisories/GHSA-hx9m-jf43-8ffr