CVE-2026-24006: Seroval affected by Denial of Service via Deeply Nested Objects

January 22, 2026

Serialization of objects with extreme depth can exceed the maximum call stack limit.

Mitigation: Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

References

github.com/advisories/GHSA-3j22-8qj3-26mx
github.com/lxsmnsyc/seroval
github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx
nvd.nist.gov/vuln/detail/CVE-2026-24006

Code Behaviors & Features

Detect and mitigate CVE-2026-24006 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →