GHSA-66fc-rw6m-c2q6

Source

https://github.com/advisories/GHSA-66fc-rw6m-c2q6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-66fc-rw6m-c2q6/GHSA-66fc-rw6m-c2q6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-66fc-rw6m-c2q6

Aliases

CVE-2026-23957

Published

2026-01-21T17:05:54Z

Modified

2026-02-03T03:10:03.317259Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Seroval affected by Denial of Service via Array serialization

Details

Overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time.

Mitigation:
Seroval no longer encodes array lengths. Instead, it computes length using Array.prototype.length during deserialization.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2026-01-21T17:05:54Z",
    "nvd_published_at": "2026-01-22T02:15:52Z"
}

References

Affected packages

npm / seroval

Package

Name: seroval; View open source insights on deps.dev
Purl: pkg:npm/seroval

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-66fc-rw6m-c2q6/GHSA-66fc-rw6m-c2q6.json"

last_known_affected_version_range

"<= 1.4.0"