CVE-2026-23956

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23956

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23956.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23956

Aliases

GHSA-hx9m-jf43-8ffr

Published

2026-01-22T01:23:58.922Z

Modified

2026-03-14T12:47:17.366051Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

seroval affected by Denial of Service via RegExp serialization

Details

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23956.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1333"
    ]
}

References

Affected packages

Git / github.com/lxsmnsyc/seroval

Affected ranges

Type: GIT
Repo: https://github.com/lxsmnsyc/seroval
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ce9408ebc87312fcad345a73c172212f2a798060

Affected versions

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.10.4

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.11.4

v0.11.5

v0.11.6

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.13.0

v0.13.1

v0.13.2

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.4.0-alpha.0

v0.4.0-alpha.1

v0.4.0-alpha.10

v0.4.0-alpha.11

v0.4.0-alpha.12

v0.4.0-alpha.13

v0.4.0-alpha.14

v0.4.0-alpha.15

v0.4.0-alpha.16

v0.4.0-alpha.17

v0.4.0-alpha.18

v0.4.0-alpha.2

v0.4.0-alpha.3

v0.4.0-alpha.4

v0.4.0-alpha.5

v0.4.0-alpha.6

v0.4.0-alpha.7

v0.4.0-alpha.8

v0.4.0-alpha.9

v0.4.1

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23956.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "1.4.1"
            }
        ]
    }
]