CVE-2026-34043 MEDIUM

CVE-2026-34043: Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Vendor Yahoo

Product serialize-javascript

Weakness CWE-400

Published March 31, 2026

Last update March 31, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

Key dates

Disclosure timeline

March 31, 2026 CVE published

March 31, 2026 Record updated