GHSA-hx9m-jf43-8ffr

Source

https://github.com/advisories/GHSA-hx9m-jf43-8ffr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-hx9m-jf43-8ffr/GHSA-hx9m-jf43-8ffr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hx9m-jf43-8ffr

Aliases

CVE-2026-23956

Published

2026-01-21T16:57:06Z

Modified

2026-02-03T03:10:09.838188Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

seroval affected by Denial of Service via RegExp serialization

Details

Overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service).

Mitigation:
Seroval introduces disabledFeatures (a bitmask) in serialization/deserialization methods, with Feature.RegExp as a dedicated flag. Users are recommended to configure disabledFeatures to disable RegExp serialization entirely.

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1333"
    ],
    "github_reviewed_at": "2026-01-21T16:57:06Z",
    "nvd_published_at": "2026-01-22T02:15:52Z"
}

References

Affected packages

npm / seroval

Package

Name: seroval; View open source insights on deps.dev
Purl: pkg:npm/seroval

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-hx9m-jf43-8ffr/GHSA-hx9m-jf43-8ffr.json"

last_known_affected_version_range

"<= 1.4.0"