advisory-database/advisories/github-reviewed/2026/01/GHSA-hx9m-jf43-8ffr/GHSA-hx9m-jf43-8ffr.json at 1a222529d000ff8b79c0dc9c132fe300868649f3 · github/advisory-database · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
{
  "schema_version": "1.4.0",
  "id": "GHSA-hx9m-jf43-8ffr",
  "modified": "2026-01-22T15:43:56Z",
  "published": "2026-01-21T16:57:06Z",
  "aliases": [
    "CVE-2026-23956"
  ],
  "summary": "seroval affected by Denial of Service via RegExp serialization",
  "details": "Overriding RegExp serialization with extremely large patterns can **exhaust JavaScript runtime memory** during deserialization. Additionally, overriding RegExp serialization with patterns that trigger **catastrophic backtracking** can lead to ReDoS (Regular Expression Denial of Service).  \n\n**Mitigation**:  \n`Seroval` introduces `disabledFeatures` (a bitmask) in serialization/deserialization methods, with `Feature.RegExp` as a dedicated flag. **Users are recommended to configure `disabledFeatures` to disable RegExp serialization entirely.**",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "seroval"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "1.4.1"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 1.4.0"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23956"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lxsmnsyc/seroval"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T16:57:06Z",
    "nvd_published_at": "2026-01-22T02:15:52Z"
  }
}