CVE-2026-34043
Denial of Service in JavaScript Serializer via Large Array-Like Objects
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yahoo | serialize | to 7.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-834 | The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34043 is a Denial of Service (DoS) vulnerability in the npm package serialize-javascript, affecting versions prior to 7.0.5.
The vulnerability occurs when serializing specially crafted "array-like" objectsβobjects that inherit from Array.prototype but have an extremely large length property.
This causes the serialization process to enter an intensive loop that exhausts CPU resources, making the process hang indefinitely.
The issue was patched in version 7.0.5 by improving array detection and handling sparse arrays to prevent the CPU exhaustion loop.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34043 is a Denial of Service (DoS) vulnerability that causes CPU exhaustion and process hangs when serializing specially crafted array-like objects. This impacts availability but does not affect confidentiality or integrity.
Since the vulnerability does not lead to unauthorized data access or modification, it does not directly violate data protection requirements under standards like GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or sensitive data.
However, the availability impact caused by this DoS could indirectly affect compliance if critical systems become unavailable, potentially violating uptime or service availability requirements in certain regulatory frameworks.
Mitigation involves upgrading to version 7.0.5 or later and validating inputs to prevent exploitation, which supports maintaining compliance by ensuring system reliability and availability.
How can this vulnerability impact me? :
This vulnerability can cause your application to hang indefinitely due to 100% CPU usage when serializing maliciously crafted array-like objects.
Such Denial of Service conditions can make your application unavailable to legitimate users, impacting availability.
The risk is higher if your application serializes untrusted or user-controlled data, especially if it is also vulnerable to Prototype Pollution or processes untrusted YAML deserialization.
Mitigation includes upgrading to serialize-javascript version 7.0.5 or later, validating and sanitizing inputs, and protecting against Prototype Pollution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a Denial of Service (DoS) caused by CPU exhaustion when serializing specially crafted array-like objects with a very large length property using the serialize-javascript package prior to version 7.0.5.
Detection involves monitoring for processes that use serialize-javascript and observing unusually high CPU usage or hangs during serialization operations, especially when handling untrusted or user-controlled data.
There are no specific commands provided in the resources to detect this vulnerability directly. However, general approaches include:
- Monitoring CPU usage of applications that use serialize-javascript, for example using commands like `top` or `htop` on Linux.
- Using process tracing or profiling tools (e.g., `strace`, `perf`) to identify serialization calls that enter intensive loops.
- Reviewing application logs or adding instrumentation to detect serialization of large or suspicious array-like objects.
Since the vulnerability is triggered by serializing maliciously crafted array-like objects, ensuring input validation and sanitization before serialization can help in detection and prevention.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the serialize-javascript package to version 7.0.5 or later, where the vulnerability has been patched.
Additional mitigation strategies include:
- Validate and sanitize all inputs before serialization to prevent malicious array-like objects from being processed.
- Protect the environment against Prototype Pollution vulnerabilities, which could facilitate injection of malicious objects.
- Avoid serializing untrusted or user-controlled data without proper checks.
No direct code-level workaround exists within the library itself, so upgrading and input validation are critical.