CVE-2026-34043: Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
What kind of vulnerability is it?
It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted “array-like” object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.
Who is impacted?
Applications that use serialize-javascript to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object.
References
- github.com/advisories/GHSA-qj8w-gfj5-8c6v
- github.com/yahoo/serialize-javascript
- github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
- github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
- github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
- nvd.nist.gov/vuln/detail/CVE-2026-34043
Code Behaviors & Features
Detect and mitigate CVE-2026-34043 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →