Serialization of objects with extreme depth can exceed the maximum call stack limit. Mitigation: Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
Improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. The vulnerability can be exploited via overriding constant value and error deserialization, which allows indirect access to unsafe JS evaluation. This requires at least the ability to perform 4 separate requests on the same function and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and …
Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This affects only JSON deserialization functionality. As there is no known workaround, please upgrade to the latest version.
Overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). Mitigation: Seroval introduces disabledFeatures (a bitmask) in serialization/deserialization methods, with Feature.RegExp as a dedicated flag. Users are recommended to configure disabledFeatures to disable RegExp serialization entirely.
Overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. Mitigation: Seroval no longer encodes array lengths. Instead, it computes length using Array.prototype.length during deserialization.