Medium severity5.9NVD Advisory· Published Mar 31, 2026· Updated Apr 3, 2026
CVE-2026-34043
CVE-2026-34043
Description
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
serialize-javascriptnpm | >= 5.0.0, < 7.0.5 | 7.0.5 |
Affected products
28- Range: <7.0.5
- osv-coords26 versionspkg:apk/chainguard/argo-workflows-ui-3.6pkg:apk/chainguard/argo-workflows-ui-3.7pkg:apk/chainguard/argo-workflows-ui-4.0pkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-fipspkg:apk/wolfi/argo-workflows-ui-3.7pkg:apk/wolfi/argo-workflows-ui-4.0pkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/tileserver-glpkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-8.0
< 3.6.19-r6+ 25 more
- (no CPE)range: < 3.6.19-r6
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 4.0.4-r6
- (no CPE)range: < 0.8.4-r5
- (no CPE)range: < 2.19.5-r10
- (no CPE)range: < 2.19.5-r10
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r2
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 4.0.4-r6
- (no CPE)range: < 2.19.5-r10
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.127-1.el10_2
- (no CPE)range: < 8.0.127-1.el10_2
- (no CPE)range: < 8.0.127-1.el10_2
- (no CPE)range: < 8.0.27-1.el10_2
- (no CPE)range: < 8.0.127-1.el10_2
Patches
Vulnerability mechanics
References
6- github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204bnvdPatchWEB
- github.com/advisories/GHSA-qj8w-gfj5-8c6vghsaADVISORY
- github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6vnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34043ghsaADVISORY
- github.com/yahoo/serialize-javascript/releases/tag/v5.0.0ghsaWEB
- github.com/yahoo/serialize-javascript/releases/tag/v7.0.5nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.