Description
Overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service).
Recommendation
Update the seroval package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.4.0
- Patched version(s): 1.4.1
References
Related Issues
- StudioCMS has Authorization Bypass Through User-Controlled Key - CVE-2026-24134
- Seroval affected by Denial of Service via Array serialization - CVE-2026-23957
- seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- Tags:
- npm
- seroval
Anything's wrong? Let us know Last updated on January 22, 2026