Seroval
Monthly
Seroval versions 1.4.0 and below allow remote attackers to cause denial of service through maliciously crafted RegExp patterns during deserialization, either by exhausting memory with oversized patterns or triggering catastrophic backtracking (ReDoS). The vulnerability requires no authentication or user interaction and affects any application using the library to deserialize untrusted serialized data. A patch is available in version 1.4.1.
Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. A patch is available in version 1.4.1 and later.
Seroval is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 7.3).
Seroval versions 1.4.0 and below allow remote attackers to cause denial of service through maliciously crafted RegExp patterns during deserialization, either by exhausting memory with oversized patterns or triggering catastrophic backtracking (ReDoS). The vulnerability requires no authentication or user interaction and affects any application using the library to deserialize untrusted serialized data. A patch is available in version 1.4.1.
Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. A patch is available in version 1.4.1 and later.
Seroval is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 7.3).