Описание
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
A flaw was found in seroval. An attacker could exploit this vulnerability by providing a specially crafted JavaScript (JS) object with extreme depth during the serialization process. This could lead to exceeding the maximum call stack limit, resulting in a Denial of Service (DoS) for the application using the seroval library.
Отчет
This vulnerability is rated Important for Red Hat products as it can lead to a Denial of Service in applications utilizing the Seroval library. Specifically, deeply nested objects processed by Seroval versions 1.4.0 and below can exhaust the call stack, causing application instability. Red Hat products like Forgejo in Fedora and EPEL are affected if they use vulnerable versions of Seroval.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
Seroval affected by Denial of Service via Deeply Nested Objects
EPSS
7.5 High
CVSS3