CVE-2026-34043

EUVD-2026-17288

31.03.2026, 03:15

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
yahoo	serialize	𝑥 < 7.0.5

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
yahoo	serialize_javascript	𝑥 < 7.0.5	CNA

Debian Releases

Debian Product

Codename

node-serialize-javascript

bookworm	no-dsa
bullseye	postponed
forky	7.0.5+~5.0.4-1 fixed
sid	7.0.5+~5.0.4-1 fixed
trixie	no-dsa

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b

https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5

https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v