VYPR
High severity7.5OSV Advisory· Published Jan 22, 2026· Updated May 20, 2026

CVE-2026-23956

CVE-2026-23956

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
serovalnpm
>= 0.2.0, < 1.4.11.4.1

Affected products

3
  • Lxsmnsyc/SerovalOSV3 versions
    v0.1.0, v0.10.0, v0.10.1, …+ 2 more
    • (no CPE)range: v0.1.0, v0.10.0, v0.10.1, …
    • cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*range: <1.4.1
    • (no CPE)range: <=1.4.0

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.