CVE-2026-23957: Seroval affected by Denial of Service via Array serialization

January 21, 2026 (updated January 22, 2026)

Overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time.

Mitigation: Seroval no longer encodes array lengths. Instead, it computes length using Array.prototype.length during deserialization.

References

github.com/advisories/GHSA-66fc-rw6m-c2q6
github.com/lxsmnsyc/seroval
github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6
nvd.nist.gov/vuln/detail/CVE-2026-23957

Code Behaviors & Features

Detect and mitigate CVE-2026-23957 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →