7.5
CVE-2026-34043
- EPSS 0.47%
- Veröffentlicht 31.03.2026 01:48:45
- Zuletzt bearbeitet 03.04.2026 16:53:52
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.47% | 0.372 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-400 Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CWE-834 Excessive Iteration
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5