Plattform
nodejs
Komponente
serialize-javascript
Behoben in
7.0.6
7.0.5
7.0.5
CVE-2026-34043 is a Denial of Service (DoS) vulnerability within the serialize-javascript Node.js package. This vulnerability arises from CPU exhaustion when serializing specially crafted "array-like" objects, causing indefinite application hangs. It impacts versions prior to 7.0.5 and can be mitigated by upgrading to the patched version or implementing robust input validation.
The primary impact of CVE-2026-34043 is a denial of service. An attacker can trigger a CPU exhaustion loop by providing a specially crafted object to the serialize-javascript function. This object inherits from Array.prototype and possesses a very large length property. The serialization process then enters an intensive loop, consuming 100% of the CPU resources and effectively freezing the application. While direct exploitation might be challenging, the risk significantly increases if the application also handles untrusted input or is vulnerable to other injection attacks, potentially allowing an attacker to control the serialized object.
CVE-2026-34043 was publicly disclosed on March 27, 2026. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, suggesting a relatively low probability of immediate exploitation, but the potential for abuse remains if integrated into other attack vectors.
Applications built with Node.js that utilize the serialize-javascript package to serialize data, particularly those handling user-supplied or untrusted input, are at risk. This includes web applications, APIs, and backend services that rely on this package for data serialization and transmission.
• nodejs / server:
ps aux | grep serialize-javascript | grep -v grep | awk '{print $2}' | xargs htop• nodejs / server:
journalctl -u node | grep -i "cpu exhaustion"• generic web: Monitor Node.js application logs for excessive CPU usage or errors related to object serialization.
disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-34043 is to upgrade the serialize-javascript package to version 7.0.5 or later. This version contains a fix that prevents the CPU exhaustion loop. If upgrading is not immediately feasible, implement strict input validation to ensure that only trusted data is serialized. Specifically, validate the length property of any array-like objects before passing them to the serialize function. Consider implementing rate limiting or other resource controls to limit the impact of potential attacks. After upgrade, confirm functionality by serializing a variety of test objects, including those with large length properties, to ensure the fix is effective.
Actualice la biblioteca serialize-javascript a la versión 7.0.5 o superior. Esto solucionará la vulnerabilidad de denegación de servicio por agotamiento de CPU. Puede actualizar la dependencia usando npm o yarn.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34043 is a Denial of Service vulnerability in the serialize-javascript Node.js package. A crafted object can cause CPU exhaustion, leading to application hangs.
You are affected if you are using serialize-javascript versions prior to 7.0.5 and your application handles untrusted data during serialization.
Upgrade to serialize-javascript version 7.0.5 or later. Alternatively, implement input validation to prevent the serialization of malicious objects.
There is currently no evidence of active exploitation, but the potential for abuse remains if integrated into other attack vectors.
Refer to the serialize-javascript project's repository or website for the official advisory and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.