CVE-2026-34043
Received Received - Intake
Denial of Service in JavaScript Serializer via Large Array-Like Objects

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34043
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yahoo serialize to 7.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-34043 is a Denial of Service (DoS) vulnerability that causes CPU exhaustion and process hangs when serializing specially crafted array-like objects. This impacts availability but does not affect confidentiality or integrity.

Since the vulnerability does not lead to unauthorized data access or modification, it does not directly violate data protection requirements under standards like GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or sensitive data.

However, the availability impact caused by this DoS could indirectly affect compliance if critical systems become unavailable, potentially violating uptime or service availability requirements in certain regulatory frameworks.

Mitigation involves upgrading to version 7.0.5 or later and validating inputs to prevent exploitation, which supports maintaining compliance by ensuring system reliability and availability.

Executive Summary

CVE-2026-34043 is a Denial of Service (DoS) vulnerability in the npm package serialize-javascript, affecting versions prior to 7.0.5.

The vulnerability occurs when serializing specially crafted "array-like" objectsβ€”objects that inherit from Array.prototype but have an extremely large length property.

This causes the serialization process to enter an intensive loop that exhausts CPU resources, making the process hang indefinitely.

The issue was patched in version 7.0.5 by improving array detection and handling sparse arrays to prevent the CPU exhaustion loop.

Impact Analysis

This vulnerability can cause your application to hang indefinitely due to 100% CPU usage when serializing maliciously crafted array-like objects.

Such Denial of Service conditions can make your application unavailable to legitimate users, impacting availability.

The risk is higher if your application serializes untrusted or user-controlled data, especially if it is also vulnerable to Prototype Pollution or processes untrusted YAML deserialization.

Mitigation includes upgrading to serialize-javascript version 7.0.5 or later, validating and sanitizing inputs, and protecting against Prototype Pollution.

Detection Guidance

This vulnerability manifests as a Denial of Service (DoS) caused by CPU exhaustion when serializing specially crafted array-like objects with a very large length property using the serialize-javascript package prior to version 7.0.5.

Detection involves monitoring for processes that use serialize-javascript and observing unusually high CPU usage or hangs during serialization operations, especially when handling untrusted or user-controlled data.

There are no specific commands provided in the resources to detect this vulnerability directly. However, general approaches include:

  • Monitoring CPU usage of applications that use serialize-javascript, for example using commands like `top` or `htop` on Linux.
  • Using process tracing or profiling tools (e.g., `strace`, `perf`) to identify serialization calls that enter intensive loops.
  • Reviewing application logs or adding instrumentation to detect serialization of large or suspicious array-like objects.

Since the vulnerability is triggered by serializing maliciously crafted array-like objects, ensuring input validation and sanitization before serialization can help in detection and prevention.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the serialize-javascript package to version 7.0.5 or later, where the vulnerability has been patched.

Additional mitigation strategies include:

  • Validate and sanitize all inputs before serialization to prevent malicious array-like objects from being processed.
  • Protect the environment against Prototype Pollution vulnerabilities, which could facilitate injection of malicious objects.
  • Avoid serializing untrusted or user-controlled data without proper checks.

No direct code-level workaround exists within the library itself, so upgrading and input validation are critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart