CVE-2026-24006
- Source
- https://cve.org/CVERecord?id=CVE-2026-24006
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24006.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-24006
- Aliases
- Published
- 2026-01-22T02:32:31.913Z
- Modified
- 2026-03-14T12:47:18.770943Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Seroval affected by Denial of Service via Deeply Nested Objects
- Details
-
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a
depthLimitparameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-770" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24006.json" }- References
Affected packages
Git / github.com/lxsmnsyc/seroval
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lxsmnsyc/seroval
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.11.6
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.13.0
v0.13.1
v0.13.2
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.0-alpha.0
v0.4.0-alpha.1
v0.4.0-alpha.10
v0.4.0-alpha.11
v0.4.0-alpha.12
v0.4.0-alpha.13
v0.4.0-alpha.14
v0.4.0-alpha.15
v0.4.0-alpha.16
v0.4.0-alpha.17
v0.4.0-alpha.18
v0.4.0-alpha.2
v0.4.0-alpha.3
v0.4.0-alpha.4
v0.4.0-alpha.5
v0.4.0-alpha.6
v0.4.0-alpha.7
v0.4.0-alpha.8
v0.4.0-alpha.9
v0.4.1
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.8.0
v0.9.0
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3