High severity7.5NVD Advisory· Published Jan 22, 2026· Updated Apr 6, 2026
CVE-2026-24006
CVE-2026-24006
Description
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
serovalnpm | < 1.4.1 | 1.4.1 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060nvdPatchWEB
- github.com/advisories/GHSA-3j22-8qj3-26mxghsaADVISORY
- github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mxnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-24006ghsaADVISORY
News mentions
0No linked articles in our index yet.