Описание
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1.
A flaw was found in seroval. A remote attacker can exploit this vulnerability by providing specially crafted input that overrides encoded array lengths with an excessively large value during the deserialization process. This manipulation causes the application to significantly increase processing time, leading to a Denial of Service (DoS).
Отчет
This vulnerability is rated Important for Red Hat because seroval, a JavaScript value stringification library, can be exploited to cause a Denial of Service. An attacker can provide an excessively large value for encoded array lengths during deserialization, leading to a significant increase in processing time. This affects versions 1.4.0 and below of seroval, which is used in components like forgejo in Fedora and EPEL.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1.
Seroval affected by Denial of Service via Array serialization
EPSS
7.5 High
CVSS3