Description
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Published: 2026-03-31
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via CPU exhaustion caused by serialization of crafted array‑like objects
Action: Patch
AI Analysis

Impact

Serializing a specially crafted object that inherits the Array prototype and has a very large length property triggers an intensive loop in the serialize-javascript library, causing the process to consume 100 % of CPU and hang indefinitely. The flaw is a resource exhaustion vulnerability where the library does not properly validate the array length during serialization, leading to unbounded CPU use.

Affected Systems

Applications using Yahoo’s serialize-javascript library prior to the 7.0.5 release are affected. Any deployment that serializes untrusted input with this older version—whether web services, command‑line tools, or embedded scripts—may experience the denial of service.

Risk and Exploitability

With a CVSS score of 5.9, the severity is considered medium, while an EPSS score of less than 1 % indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to supply a crafted array‑like object to the serialize function; the specific input channel depends on how the application exposes this functionality, so the vector is inferred rather than explicitly documented.

Generated by OpenCVE AI on April 3, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade serialize-javascript to version 7.0.5 or newer

Generated by OpenCVE AI on April 3, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qj8w-gfj5-8c6v Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Yahoo serialize
CPEs cpe:2.3:a:yahoo:serialize:*:*:*:*:*:*:*:*
Vendors & Products Yahoo serialize

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Yahoo
Yahoo serialize-javascript
Vendors & Products Yahoo
Yahoo serialize-javascript

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Title Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Weaknesses CWE-400
CWE-834
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Yahoo Serialize Serialize-javascript
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T13:55:54.998Z

Reserved: 2026-03-25T15:29:04.745Z

Link: CVE-2026-34043

cve-icon Vulnrichment

Updated: 2026-03-31T13:55:49.732Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T03:15:58.400

Modified: 2026-04-03T16:53:52.573

Link: CVE-2026-34043

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-31T01:48:45Z

Links: CVE-2026-34043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:45Z

Weaknesses