CVE-2026-34043Uncontrolled Resource Consumption in Serialize-javascript

CWE-400Uncontrolled Resource ConsumptionCWE-834Excessive IterationCWE-835Infinite Loop43 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 83.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Yahoo Serialize-javascriptYahoo SerializeDebian Node-serialize-javascript+1 more
Timeline
PublishedMar 31
Latest updateApr 1

Description

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5yahoo/serialize-javascript< 7.0.5
debiandebian/node-serialize-javascript< node-serialize-javascript 7.0.5+~5.0.4-1 (forky)
NVDyahoo/serialize< 7.0.5

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-34043: Serialize JavaScript to a superset of JSON that includes regular expressions and functions2026-03-31
GHSA
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects2026-03-27
OSV
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects2026-03-27

📋Vendor Advisories

2
Red Hat
serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization2026-03-31
Debian
CVE-2026-34043: node-serialize-javascript - Serialize JavaScript to a superset of JSON that includes regular expressions and...2026

🕵️Threat Intelligence

31
Wiz
CVE-2026-29057 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28375 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-21721 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-27879 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

6
Bugzilla
CVE-2026-34043 cachelib: serialize-javascript: Denial of Service via specially crafted array-like object serialization [fedora-all]2026-04-01
Bugzilla
CVE-2026-34043 openbao: serialize-javascript: Denial of Service via specially crafted array-like object serialization [fedora-all]2026-04-01
Bugzilla
CVE-2026-34043 openbao: serialize-javascript: Denial of Service via specially crafted array-like object serialization [epel-all]2026-04-01
Bugzilla
CVE-2026-34043 fbthrift: serialize-javascript: Denial of Service via specially crafted array-like object serialization [epel-all]2026-04-01
Bugzilla
CVE-2026-34043 cachelib: serialize-javascript: Denial of Service via specially crafted array-like object serialization [epel-all]2026-04-01