Login Sign Up

CVE-2026-23957

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2026-23957 is a denial-of-service vulnerability in seroval library versions 1.4.0 and below. Attackers can craft malicious serialized data with manipulated array lengths to cause excessive CPU consumption during deserialization, potentially making applications unresponsive. This affects any application using vulnerable seroval versions for JavaScript value serialization/deserialization.

💻 Affected Systems

Products:
  • seroval
Versions: 1.4.0 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using seroval for serialization/deserialization of JavaScript values is vulnerable by default.

📦 What is this software?

Seroval by Lxsmnsyc

View all CVEs affecting Seroval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to resource exhaustion, potentially affecting multiple services if seroval is used in shared infrastructure.

🟠

Likely Case

Degraded application performance and intermittent service disruptions when processing malicious payloads.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted serialized data to applications using seroval.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1

Vendor Advisory: https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6

Restart Required: Yes

Instructions:

1. Update seroval dependency to version 1.4.1 or higher. 2. Run npm update seroval or yarn upgrade seroval. 3. Restart the application. 4. Test serialization/deserialization functionality.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement strict input validation and size limits on serialized data before processing.

Resource limiting

all

Configure CPU and memory limits on processes using seroval to prevent complete resource exhaustion.

🧯 If You Can't Patch

  • Implement strict input validation to reject serialized data with suspicious array length values.
  • Deploy rate limiting and monitoring to detect and block DoS attempts.

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for seroval version <=1.4.0.

Check Version:

npm list seroval or yarn list seroval

Verify Fix Applied:

Verify seroval version is 1.4.1 or higher in package.json and test deserialization with various inputs.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage by processes using seroval
  • Increased deserialization processing times
  • Application timeouts or crashes during data processing

Network Indicators:

  • Large serialized payloads being sent to applications
  • Repeated serialized data requests to endpoints using seroval

SIEM Query:

process.cpu_usage > 90% AND process.name contains 'node' AND process.args contains 'seroval'

📊 Metadata

CVE ID: CVE-2026-23957
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
EPSS Score: 0.05% exploit probability (14.3th percentile)
Published: January 22, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23957, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)