Seroval Denial-of-Service Vulnerability via Deeply Nested Objects

A denial-of-service vulnerability has been identified in Seroval, a JavaScript library for value stringification, in versions through 1.4.0. The issue arises when objects with extreme depth are serialized, potentially exceeding the maximum call stack limit. This can lead to stack overflow errors, causing the application to crash or become unresponsive. In version 1.4.1 and later, Seroval introduces a 'depthLimit' parameter in its serialization and deserialization methods to mitigate this issue. If the specified depth limit is exceeded, an error is thrown.

Impact

Exploitation of this vulnerability can cause a stack overflow, leading to a denial-of-service condition where the application becomes unresponsive or crashes.

Reproduction

The vulnerability can be reproduced by serializing an object with a depth that exceeds the maximum call stack limit. This can be done using Seroval's serialization methods in a version prior to 1.4.1. The stack overflow can be observed as the application crashes or becomes unresponsive.

Remediation

Users can upgrade to Seroval version 1.4.1 or later, where the 'depthLimit' parameter is available to prevent excessive depth serialization. Instructions for updating can be found on the Seroval GitHub repository.