CVE-2026-34043

Name of the Vulnerable Software and Affected Versions serialize-javascript versions prior to 7.0.5

Description This issue involves a Denial of Service (DoS) caused by CPU exhaustion. When serializing a specially crafted "array-like" object – an object inheriting from Array.prototype with a very large length property – the process enters an intensive loop, consuming 100% CPU and causing indefinite hanging. The vulnerability occurs when using the serialize() function with untrusted or user-controlled objects. The issue is exacerbated if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object. The problem was addressed by replacing instanceof Array checks with Array.isArray() and using Object.keys() for sparse array detection.

Recommendations Upgrade to version 7.0.5 or later.