CVE-2026-24006 – Seroval versions 1.4.0 and below have a stack o... (How to Fix)

Q: What is the severity of CVE-2026-24006?

CVE-2026-24006 has a CVSS score of 7.5 (HIGH). Seroval versions 1.4.0 and below have a stack overflow vulnerability when serializing deeply nested objects, causing denial of service. This affects applications using Seroval for JavaScript value serialization. The vulnerability can be triggered by malicious input to serialization functions.

📋 TL;DR

Seroval versions 1.4.0 and below have a stack overflow vulnerability when serializing deeply nested objects, causing denial of service. This affects applications using Seroval for JavaScript value serialization. The vulnerability can be triggered by malicious input to serialization functions.

💻 Affected Systems

Products:

Seroval

Versions: 1.4.0 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when serializing deeply nested objects.

📦 What is this software?

Seroval by Lxsmnsyc

View all CVEs affecting Seroval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes due to stack overflow, causing complete denial of service and potential data loss in unsaved operations.

🟠

Likely Case

Application instability or crashes when processing maliciously crafted serialization requests, leading to service disruption.

🟢

If Mitigated

Controlled error handling with depth limit prevents crashes, though serialization requests exceeding limit will fail.

🌐 Internet-Facing: MEDIUM - Attackers can send malicious serialization requests to exposed endpoints, but requires specific application functionality.

🏢 Internal Only: LOW - Requires internal users to trigger the vulnerability through application functionality.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to provide input to serialization functions. No authentication bypass needed if serialization endpoints are exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1

Vendor Advisory: https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx

Restart Required: No

Instructions:

1. Update Seroval package to version 1.4.1 or higher. 2. Run npm update seroval or yarn upgrade seroval. 3. Test serialization functionality after update.

🔧 Temporary Workarounds

Implement input validation

all

Validate and limit depth of objects before passing to Seroval serialization functions

Wrap serialization calls

all

Wrap Seroval calls with try-catch blocks and implement custom depth checking

🧯 If You Can't Patch

Implement rate limiting on serialization endpoints to reduce attack surface
Deploy application-level monitoring for stack overflow errors and implement automatic restart mechanisms

🔍 How to Verify

Check if Vulnerable:

Check package.json for Seroval version <=1.4.0 or examine node_modules/seroval/package.json

Check Version:

npm list seroval or grep version node_modules/seroval/package.json

Verify Fix Applied:

Verify Seroval version is >=1.4.1 and test serialization with deeply nested objects to ensure proper error handling

📡 Detection & Monitoring

Log Indicators:

Stack overflow errors
Maximum call stack size exceeded errors
Application crashes during serialization

Network Indicators:

Repeated serialization requests with large payloads
Unusually deep JSON structures in requests

SIEM Query:

source="application.logs" AND ("Maximum call stack" OR "stack overflow" OR "RangeError")

📊 Metadata

CVE ID: CVE-2026-24006

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.05% exploit probability (14.3th percentile)

Published: January 22, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 Patch
https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24006, you might also want to check these: