{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24006", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T18:49:20.659Z", "datePublished": "2026-01-22T02:32:31.913Z", "dateUpdated": "2026-01-22T12:50:51.270Z"}, "containers": {"cna": {"title": "Seroval affected by Denial of Service via Deeply Nested Objects", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx"}, {"name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"], "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T02:32:31.913Z"}, "descriptions": [{"lang": "en", "value": "Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached."}], "source": {"advisory": "GHSA-3j22-8qj3-26mx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T12:50:03.862016Z", "id": "CVE-2026-24006", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:50:51.270Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24006", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T12:50:03.862016Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:50:46.861Z"}}], "cna": {"title": "Seroval affected by Denial of Service via Deeply Nested Objects", "source": {"advisory": "GHSA-3j22-8qj3-26mx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"status": "affected", "version": "< 1.4.1"}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx", "name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T02:32:31.913Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24006", "state": "PUBLISHED", "dateUpdated": "2026-01-22T12:50:51.270Z", "dateReserved": "2026-01-19T18:49:20.659Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T02:32:31.913Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0\nand below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached."}], "id": "CVE-2026-24006", "lastModified": "2026-01-22T03:15:47.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T03:15:47.933", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}, {"source": "security-advisories@github.com", "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "seroval: Seroval: Denial of Service due to excessive recursion during object serialization", "id": "2431924", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431924"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24006", "public_date": "2026-01-22T02:32:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24006\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24006\nhttps://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060\nhttps://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx"], "statement": "This vulnerability is rated Important for Red Hat products as it can lead to a Denial of Service in applications utilizing the Seroval library. Specifically, deeply nested objects processed by Seroval versions 1.4.0 and below can exhaust the call stack, causing application instability. Red Hat products like Forgejo in Fedora and EPEL are affected if they use vulnerable versions of Seroval.", "threat_severity": "Important"}