PatchSiren cyber security CVE debrief

CVE-2026-23956 lxsmnsyc CVE debrief

CVE-2026-23956 is a high-severity vulnerability in Seroval, a JavaScript library for serializing complex values beyond JSON.stringify capabilities. The issue affects versions 0.2.0 through 1.4.0 and was published on January 22, 2026, with a subsequent modification on May 20, 2026. The vulnerability stems from improper handling of user-controlled RegExp serialization, enabling two distinct attack vectors: memory exhaustion through extremely large pattern strings during deserialization, and Regular Expression Denial of Service (ReDoS) via patterns engineered to trigger catastrophic backtracking. The CVSS 3.1 score of 7.5 reflects network attack vector, low complexity, no privileges required, no user interaction, and high availability impact. The underlying weakness is categorized as CWE-1333 (Inefficient Regular Expression Complexity). The maintainer addressed both vectors in version 1.4.1 through a commit that implements proper validation and limits on RegExp pattern handling. Organizations using Seroval for server-side serialization of untrusted data should prioritize upgrading, as the vulnerability is exploitable without authentication and could destabilize Node.js runtime environments.

Vendor: lxsmnsyc
Product: seroval
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-01-22
Original CVE updated: 2026-05-20
Advisory published: 2026-01-22
Advisory updated: 2026-05-20

Who should care

Organizations running Node.js applications that use Seroval for serialization of potentially untrusted data, particularly those exposing deserialization endpoints to network input

Technical summary

Seroval versions 0.2.0-1.4.0 permit attackers to override RegExp serialization with malicious patterns. Large patterns cause memory exhaustion during deserialization; crafted patterns with catastrophic backtracking induce ReDoS. Both attacks target availability without requiring authentication or user interaction. The fix in 1.4.1 adds proper validation and constraints on RegExp handling.

Defensive priority

high

Recommended defensive actions

Upgrade Seroval to version 1.4.1 or later to remediate both memory exhaustion and ReDoS vectors
If immediate patching is not feasible, implement input validation to reject untrusted RegExp patterns before serialization
Review application logic for any user-controlled paths that influence RegExp serialization through Seroval
Monitor application memory usage and implement resource limits on deserialization operations as defense in depth
Audit dependencies for transitive inclusion of vulnerable Seroval versions in package-lock.json or yarn.lock

Evidence notes

Vulnerability description and version range confirmed through NVD CPE criteria and GitHub Security Advisory. Patch commit ce9408ebc87312fcad345a73c172212f2a798060 verified as remediation. CWE-1333 classification sourced from [email protected]. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H from NVD metadata.

Official resources

CVE-2026-23956 CVE record
CVE.org
CVE-2026-23956 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory

2026-01-22T02:15:52.310Z