{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T14:49:06.313Z", "datePublished": "2026-01-22T01:26:53.869Z", "dateUpdated": "2026-01-22T18:56:49.004Z"}, "containers": {"cna": {"title": "seroval is vulnerable to Denial of Service via array serialization", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6"}, {"name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"], "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:26:53.869Z"}, "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1."}], "source": {"advisory": "GHSA-66fc-rw6m-c2q6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T18:56:07.994475Z", "id": "CVE-2026-23957", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T18:56:49.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23957", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T18:56:07.994475Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T18:56:45.897Z"}}], "cna": {"title": "seroval is vulnerable to Denial of Service via array serialization", "source": {"advisory": "GHSA-66fc-rw6m-c2q6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"status": "affected", "version": "< 1.4.1"}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6", "name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T01:26:53.869Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23957", "state": "PUBLISHED", "dateUpdated": "2026-01-22T18:56:49.004Z", "dateReserved": "2026-01-19T14:49:06.313Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T01:26:53.869Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "85760E40-9AB1-40EB-98A1-D1A4411AAFC5", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1."}, {"lang": "es", "value": "seroval facilita la serializaci\u00f3n de valores JS, incluyendo estructuras complejas m\u00e1s all\u00e1 de las capacidades de JSON.stringify. En las versiones 1.4.0 e inferiores, la anulaci\u00f3n de las longitudes de arrays codificados al reemplazarlas con un valor excesivamente grande provoca que el proceso de deserializaci\u00f3n aumente significativamente el tiempo de procesamiento. Este problema ha sido solucionado en la versi\u00f3n 1.4.1."}], "id": "CVE-2026-23957", "lastModified": "2026-04-06T13:51:20.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T02:15:52.470", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "seroval: Seroval: Denial of Service via large encoded array lengths", "id": "2431914", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431914"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in seroval. A remote attacker can exploit this vulnerability by providing specially crafted input that overrides encoded array lengths with an excessively large value during the deserialization process. This manipulation causes the application to significantly increase processing time, leading to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23957", "public_date": "2026-01-22T01:26:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23957\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23957\nhttps://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060\nhttps://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6"], "statement": "This vulnerability is rated Important for Red Hat because seroval, a JavaScript value stringification library, can be exploited to cause a Denial of Service. An attacker can provide an excessively large value for encoded array lengths during deserialization, leading to a significant increase in processing time. This affects versions 1.4.0 and below of seroval, which is used in components like forgejo in Fedora and EPEL.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T04:00:54.254641+00:00", "value": {"mitigation_remediation": ["Update the Seroval dependency to version 1.4.1 or later.", "Restart or redeploy the application to load the patched library.", "Implement input validation that limits the size of arrays before invoking deserialization to guard against oversized payloads."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Applications that incorporate the lxsmnsyc:seroval library, particularly Node.js projects that depend on Seroval version 1.4.0 or older, are vulnerable. The issue applies to any environment where serialized Seroval data is processed by the library.", "description_and_impact": "The Seroval library, used for JavaScript value stringification beyond JSON.stringify, contains a flaw in versions 1.4.0 and earlier. When a serialized array has an encoded length that is overridden with an excessively large value, the deserialization routine consumes disproportionately more time, allowing an attacker to exhaust server resources and cause a denial of service. This weakness is classified as a resource exhaustion vulnerability (CWE-770).", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity condition, while an EPSS score of less than 1 % signals a low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is inferred from the description; an attacker could supply a malicious payload during deserialization\u2014either via an HTTP request, a file upload, or a messaging channel\u2014to trigger the denial of service."}}}}, "created": "2026-01-22T10:08:18.627102+00:00", "updated": "2026-04-18T04:15:05.866778+00:00", "vendors": ["lxsmnsyc", "lxsmnsyc$PRODUCT$seroval"]}