RegExhaustion: Crashing Seroval with Malicious Patterns
Jan 21, 2026·5 min read·6 visits
Executive Summary (TL;DR)
Seroval didn't check the size or complexity of Regular Expressions during deserialization. Attackers can send a JSON payload containing a 'bomb'—either a massive string to crash memory or a ReDoS pattern to spike CPU—taking down the Node.js process instantly.
A resource exhaustion vulnerability in the `seroval` JavaScript serialization library allows attackers to trigger Denial of Service (DoS) via malicious RegExp payloads. By exploiting the lack of input validation on deserialized RegExp strings, attackers can force the server into catastrophic backtracking or Out-of-Memory (OOM) states.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
seroval lxsmnsyc | < 1.4.1 | 1.4.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-400 (Uncontrolled Resource Consumption) |
| Attack Vector | Network (JSON Payload) |
| CVSS | 7.5 (High) |
| Impact | Denial of Service (DoS) |
| Exploit Status | PoC Available |
| Key Fix | Feature Flags + Length Limits |
MITRE ATT&CK Mapping
The product does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.