DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24006: Infinite Matryoshka: Crashing Seroval with Recursion

#security #cve #cybersecurity

Infinite Matryoshka: Crashing Seroval with Recursion

Vulnerability ID: CVE-2026-24006
CVSS Score: 7.5
Published: 2026-01-22

A high-severity Denial of Service (DoS) vulnerability in the Seroval JavaScript serialization library allows attackers to crash applications via stack exhaustion. By supplying deeply nested objects, attackers can trigger unbounded recursion, exceeding the V8 call stack limit.

TL;DR

Seroval versions 1.4.0 and below fail to limit recursion depth during object serialization. An attacker can submit a crafted, deeply nested JSON object (e.g., 10,000 levels deep), causing the JavaScript engine to throw a 'RangeError: Maximum call stack size exceeded'. This crashes the Node.js process, effectively killing the server. The fix in 1.4.1 introduces a strict depth limit.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network (Remote)
  • CVSS: 7.5 (High)
  • EPSS: 0.036%
  • Impact: Denial of Service (DoS)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Node.js applications using Seroval <= 1.4.0
  • SSR frameworks utilizing Seroval for state hydration
  • seroval: <= 1.4.0 (Fixed in: 1.4.1)

Code Analysis

Commit: ce9408e

feat: add depth limit

export function parseSOS<T>(ctx: SOSParserContext, depth: number, current: T): SerovalNode {
+ if (depth >= ctx.base.depthLimit) {
+   throw new SerovalDepthLimitError(ctx.base.depthLimit);
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Conceptual PoC involves a simple loop creating nested objects to exceed stack depth.

Mitigation Strategies

  • Update Seroval to version 1.4.1+
  • Implement input validation to restrict object depth before serialization
  • Monitor application logs for stack overflow exceptions

Remediation Steps:

  1. Run npm audit to identify the vulnerable package.
  2. Execute npm update seroval or manually adjust package.json to ^1.4.1.
  3. Verify the fix by running the PoC exploit against the updated environment; it should now throw a SerovalDepthLimitError instead of crashing.

References

Read the full report for CVE-2026-24006 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)