seroval affected by Denial of Service via RegExp serialization

Description

Overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service).

Recommendation

Update the seroval package to the latest compatible version. Followings are version details:

• Affected version(s): <= 1.4.0
• Patched version(s): 1.4.1

References

• GHSA-hx9m-jf43-8ffr
• CVE-2026-23956
• CWE-1333
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Seroval affected by Denial of Service via Array serialization - CVE-2026-23957
• Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
• Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
• jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions - CVE-2026-25535

Tags:

npm

seroval