CVE-2026-23956: RegExhaustion: Crashing Seroval with Malicious Patterns

#security #cve #cybersecurity

RegExhaustion: Crashing Seroval with Malicious Patterns

Vulnerability ID: CVE-2026-23956
CVSS Score: 7.5
Published: 2026-01-21

A resource exhaustion vulnerability in the seroval JavaScript serialization library allows attackers to trigger Denial of Service (DoS) via malicious RegExp payloads. By exploiting the lack of input validation on deserialized RegExp strings, attackers can force the server into catastrophic backtracking or Out-of-Memory (OOM) states.

TL;DR

Seroval didn't check the size or complexity of Regular Expressions during deserialization. Attackers can send a JSON payload containing a 'bomb'—either a massive string to crash memory or a ReDoS pattern to spike CPU—taking down the Node.js process instantly.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-400 (Uncontrolled Resource Consumption)
Attack Vector: Network (JSON Payload)
CVSS: 7.5 (High)
Impact: Denial of Service (DoS)
Exploit Status: PoC Available
Key Fix: Feature Flags + Length Limits

Affected Systems

Node.js applications using seroval
Server-Side Rendering (SSR) frameworks utilizing seroval for hydration
Applications deserializing untrusted state using seroval
seroval: < 1.4.1 (Fixed in: 1.4.1)

Code Analysis

Commit: ce9408e

fix: disable RegExp serialization by default or limit size

+ if (features & Feature.RegExp) { ... }

Exploit Details

Manual: Commit diff shows remediation of uncontrolled RegExp constructor usage.

Mitigation Strategies

Disable RegExp deserialization via Feature Flags if not required.
Update to patched versions to enforce length limits.
Sanitize input lengths at the API gateway level.

Remediation Steps:

Update seroval to version >= 1.4.1.
Audit codebases for usage of seroval.fromJSON or deserialize.
Implement disabledFeatures: Feature.RegExp in serialization options where applicable.
Monitor application logs for SerovalUnsupportedTypeError which may indicate attack attempts.