Medium severity5.9NVD Advisory· Published Mar 31, 2026· Updated Apr 3, 2026

CVE-2026-34043

Description

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
serialize-javascriptnpm	< 7.0.5	7.0.5

Affected products

Yahoo/Serialize
cpe:2.3:a:yahoo:serialize:*:*:*:*:*:*:*:*
Range: <7.0.5

Patches

f147e90269b5

Merge commit from fork

https://github.com/yahoo/serialize-javascriptRyuichi OkumuraMar 25, 2026via ghsa

commit

2 files changed · +25 −2

index.js+2 −2 modified

@@ -125,8 +125,8 @@ module.exports = function serialize(obj, options) {
                 return '@__S-' + UID + '-' + (sets.push(origValue) - 1) + '__@';
             }
 
-            if(origValue instanceof Array) {
-                var isSparse = origValue.filter(function(){return true}).length !== origValue.length;
+            if(Array.isArray(origValue)) {
+                var isSparse = Object.keys(origValue).length !== origValue.length;
                 if (isSparse) {
                     return '@__A-' + UID + '-' + (arrays.push(origValue) - 1) + '__@';
                 }

test/unit/serialize.js+23 −0 modified

@@ -426,6 +426,29 @@ describe('serialize( obj )', function () {
         });
     });
 
+    describe('array-like objects', function () {
+        it('should not hang on array-like objects with large length', function () {
+            var value = Object.create(Array.prototype);
+            value[Symbol.toStringTag] = 'Array';
+            Object.defineProperty(value, 'length', {
+                value: Number.MAX_SAFE_INTEGER,
+            });
+            // Should serialize without hanging (treated as a plain object)
+            var result = serialize(value);
+            strictEqual(typeof result, 'string');
+        });
+
+        it('should not hang on Array subclass with overridden filter', function () {
+            var arr = new (class extends Array {
+                filter() {
+                    while (true) {}
+                }
+            })();
+            var result = serialize(arr);
+            strictEqual(typeof result, 'string');
+        });
+    });
+
     describe('sparse arrays', function () {
         it('should serialize sparse arrays', function () {
             var a = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204bnvdPatchWEB
github.com/advisories/GHSA-qj8w-gfj5-8c6vghsaADVISORY
github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6vnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-34043ghsaADVISORY
github.com/yahoo/serialize-javascript/releases/tag/v7.0.5nvdRelease NotesWEB

News mentions

Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin
Wordfence Blog · May 5, 2026

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000