Denial of Service Vulnerability in Yahoo's Serialize JavaScript Library
CVE-2026-34043

5.9MEDIUM

Key Information:

Vendor

Yahoo

Status
Serialize-javascript
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34043?

An issue has been identified in Yahoo's Serialize JavaScript library where a crafted 'array-like' object can trigger a Denial of Service condition due to CPU exhaustion. When attempting to serialize such objects—characterized by inheriting from Array.prototype but having a very large length property—the serialization process enters a loop that consumes 100% of CPU resources indefinitely. This vulnerability has been resolved in version 7.0.5, underscoring the importance of timely updates to maintain application stability and security.

Affected Version(s)

serialize-javascript < 7.0.5

References

https://github.com/yahoo/serialize-javascript/security/ad...
x_refsource_CONFIRM
https://github.com/yahoo/serialize-javascript/commit/f147...
x_refsource_MISC
https://github.com/yahoo/serialize-javascript/releases/ta...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.