CVE-2026-23957: Death by Allocation: Crashing Seroval with a Single Byte

Death by Allocation: Crashing Seroval with a Single Byte

Vulnerability ID: CVE-2026-23957
CVSS Score: 7.5
Published: 2026-01-21

A resource exhaustion vulnerability in the Seroval serialization library allows attackers to trigger Out-of-Memory (OOM) crashes by supplying fake length metadata in serialized payloads.

TL;DR

Seroval trusted the incoming data's claimed length (length or size properties) before actually validating the data content. By sending a tiny payload claiming to contain billions of items, an attacker can force the server to attempt a massive memory allocation, instantly crashing the Node.js process.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-770
• Attack Vector: Network
• CVSS (Est.): 7.5 (High)
• Impact: Availability (DoS)
• Bug Class: Resource Exhaustion / Uncontrolled Allocation
• Patch Commit: ce9408ebc87312fcad345a73c172212f2a798060

Affected Systems

• Node.js Applications using Seroval
• Full-stack JS Frameworks (SSR)
• Data Hydration Systems
• lxsmnsyc/seroval: < 1.4.1 (Fixed in: 1.4.1)

Code Analysis

Commit: ce9408e

Fix resource exhaustion by validating length and limiting depth

- const len = node.l;
+ const items = node.a;
+ const len = items.length;
+ if (depth > ctx.base.depthLimit) throw new Error();

Exploit Details

• Internal Research: Exploit derived from patch diff: create serialized Array node with large 'l' property.

Mitigation Strategies

• Upgrade to patched version
• Input Validation
• Resource Limits

Remediation Steps:

1. Check package.json for seroval or libraries that depend on it.
2. Run npm install seroval@^1.4.1 or yarn upgrade seroval.
3. Verify the installed version using npm list seroval.
4. Review deserialization options and reduce depthLimit if applicable.

References

• Seroval Repository

---

Read the full report for CVE-2026-23957 on our website for more details including interactive diagrams and full exploit analysis.