Description
Serialization of objects with extreme depth can exceed the maximum call stack limit.
Mitigation:Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
Recommendation
Update the seroval package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.4.0
- Patched version(s): 1.4.1
References
Related Issues
- Seroval affected by Denial of Service via Array serialization - CVE-2026-23957
- seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- PsiTransfer has Zip Slip Path Traversal via TAR Archive Download - Vulnerability
- Tags:
- npm
- seroval
Anything's wrong? Let us know Last updated on January 22, 2026