Description
Serialization of objects with extreme depth can exceed the maximum call stack limit.
Mitigation:Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
Recommendation
Update the seroval package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.4.0
- Patched version(s): 1.4.1
References
Related Issues
- Seroval affected by Denial of Service via Array serialization - CVE-2026-23957
- seroval affected by Denial of Service via RegExp serialization - CVE-2026-23956
- Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - CVE-2026-34043
- jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions - CVE-2026-25535
- Tags:
- npm
- seroval
Anything's wrong? Let us know Last updated on January 22, 2026