CVE-2026-24006

Опубликовано: 22 янв. 2026

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

Ссылки

https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
Patch
https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:*:*:*

Версия до 1.4.1 (исключая)

EPSS

Процентиль: 8%

0.00027

Низкий

7.5 High

CVSS3

Дефекты

CWE-770

Связанные уязвимости

CVE-2026-24006

CVSS3: 7.5

redhat

2 месяца назад

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

GHSA-3j22-8qj3-26mx

CVSS3: 7.5

github

2 месяца назад

Seroval affected by Denial of Service via Deeply Nested Objects

EPSS

Процентиль: 8%

0.00027

Низкий

7.5 High

CVSS3

Дефекты

CWE-770