CVE-2026-24006 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the seroval library by lxsmnsyc, which facilitates JavaScript value stringification beyond the capabilities of JSON.stringify. Versions prior to 1.4.1 do not impose limits on the depth of object serialization, allowing attackers to craft deeply nested objects that cause the serialization process to exceed the maximum call stack size. This results in a stack overflow condition that crashes the process or service, effectively causing a denial of service (DoS). The vulnerability is exploitable remotely without authentication or user interaction, as it only requires feeding maliciously crafted input to the serialization functions. The introduction of the depthLimit parameter in version 1.4.1 mitigates this risk by enforcing a maximum recursion depth and throwing an error when exceeded, preventing stack overflow. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and impact on availability, while confidentiality and integrity remain unaffected. No known exploits are currently reported in the wild, but the potential for DoS attacks exists, especially in environments processing untrusted or user-supplied data. The vulnerability is particularly relevant for web applications, APIs, and services that rely on seroval for complex data serialization, as these are common targets for resource exhaustion attacks.

For European organizations, this vulnerability poses a significant risk of denial of service, potentially disrupting critical web services, APIs, and backend systems that utilize seroval for data serialization. The impact is primarily on availability, which can lead to service outages, degraded user experience, and operational downtime. Industries such as finance, telecommunications, healthcare, and government services that rely on JavaScript-based applications or microservices could face interruptions affecting business continuity. Additionally, organizations exposed to public internet traffic are at higher risk since exploitation requires no authentication. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not diminish the operational threat. Given the high CVSS score and ease of exploitation, attackers could leverage this vulnerability to cause widespread disruption, especially in environments processing complex or user-generated data structures. The absence of known exploits in the wild suggests a window for proactive mitigation before active attacks emerge.

To mitigate CVE-2026-24006, European organizations should immediately upgrade all instances of the seroval library to version 1.4.1 or later, which includes the depthLimit parameter to prevent excessive recursion during serialization. Where upgrading is not immediately feasible, implement input validation to restrict the depth and complexity of objects before serialization, thereby reducing the risk of stack overflow. Employ runtime monitoring and alerting for abnormal CPU and memory usage patterns associated with serialization processes to detect potential exploitation attempts. Incorporate rate limiting and request throttling on APIs and services that accept serialized input to limit the impact of resource exhaustion attacks. Conduct code audits to identify and refactor any custom serialization logic that may be vulnerable to similar issues. Finally, maintain an inventory of software dependencies to ensure timely application of security patches and monitor vulnerability advisories related to third-party libraries.