Seroval RegExp Serialization Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Seroval package, specifically in versions through 1.4.0. The issue arises from the way RegExp serialization is handled. Overriding RegExp serialization with very large patterns can deplete JavaScript runtime memory during deserialization. Furthermore, patterns that cause catastrophic backtracking can lead to a Regular Expression Denial-of-Service (ReDoS) scenario.

Impact

Exploitation of this vulnerability can cause a significant increase in memory usage, potentially leading to a denial-of-service condition where the application becomes unresponsive or crashes.

Reproduction

The vulnerability can be reproduced by using Seroval to serialize a RegExp object with an extremely large pattern or one that triggers catastrophic backtracking. This can be done by creating a RegExp with a pattern that matches a large input or by using a pattern known to cause backtracking issues, such as those with nested quantifiers.

Remediation

Users are advised to update to Seroval version 1.4.1 or later. Additionally, Seroval now includes a 'disabledFeatures' option in its serialization and deserialization methods, allowing users to disable RegExp serialization entirely. It is recommended to configure this option to prevent RegExp patterns from being serialized or deserialized.