Description
Overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time.
Mitigation:Seroval no longer encodes array lengths. Instead, it computes length using Array.prototype.length during deserialization.
Recommendation
Update the seroval package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.4.0
- Patched version(s): 1.4.1
References
Related Issues
- seroval affected by Denial of Service via RegExp serialization - CVE-2026-23956
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
- jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions - CVE-2026-25535
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Tags:
- npm
- seroval
Anything's wrong? Let us know Last updated on January 22, 2026