CVE-2026-34043

MEDIUM

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Title source: cna

Description

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

References (3)

Scores

CVSS v3 5.9
EPSS 0.0004
EPSS Percentile 11.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400 CWE-834
Status published
Products (2)
npm/serialize-javascript 0 - 7.0.5npm
yahoo/serialize-javascript < 7.0.5
Published Mar 31, 2026
Tracked Since Mar 31, 2026