Description
Overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time.
Mitigation:Seroval no longer encodes array lengths. Instead, it computes length using Array.prototype.length during deserialization.
Recommendation
Update the seroval package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.4.0
- Patched version(s): 1.4.1
References
Related Issues
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
- seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM - Vulnerability
- Tags:
- npm
- seroval
Anything's wrong? Let us know Last updated on January 22, 2026