平台
nodejs
组件
serialize-javascript
修复版本
7.0.6
7.0.5
7.0.5
CVE-2026-34043 is a Denial of Service (DoS) vulnerability within the serialize-javascript Node.js package. This vulnerability arises from CPU exhaustion when serializing specially crafted "array-like" objects, causing indefinite application hangs. It impacts versions prior to 7.0.5 and can be mitigated by upgrading to the patched version or implementing robust input validation.
The primary impact of CVE-2026-34043 is a denial of service. An attacker can trigger a CPU exhaustion loop by providing a specially crafted object to the serialize-javascript function. This object inherits from Array.prototype and possesses a very large length property. The serialization process then enters an intensive loop, consuming 100% of the CPU resources and effectively freezing the application. While direct exploitation might be challenging, the risk significantly increases if the application also handles untrusted input or is vulnerable to other injection attacks, potentially allowing an attacker to control the serialized object.
CVE-2026-34043 was publicly disclosed on March 27, 2026. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, suggesting a relatively low probability of immediate exploitation, but the potential for abuse remains if integrated into other attack vectors.
Applications built with Node.js that utilize the serialize-javascript package to serialize data, particularly those handling user-supplied or untrusted input, are at risk. This includes web applications, APIs, and backend services that rely on this package for data serialization and transmission.
• nodejs / server:
ps aux | grep serialize-javascript | grep -v grep | awk '{print $2}' | xargs htop• nodejs / server:
journalctl -u node | grep -i "cpu exhaustion"• generic web: Monitor Node.js application logs for excessive CPU usage or errors related to object serialization.
disclosure
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2026-34043 is to upgrade the serialize-javascript package to version 7.0.5 or later. This version contains a fix that prevents the CPU exhaustion loop. If upgrading is not immediately feasible, implement strict input validation to ensure that only trusted data is serialized. Specifically, validate the length property of any array-like objects before passing them to the serialize function. Consider implementing rate limiting or other resource controls to limit the impact of potential attacks. After upgrade, confirm functionality by serializing a variety of test objects, including those with large length properties, to ensure the fix is effective.
Actualice la biblioteca serialize-javascript a la versión 7.0.5 o superior. Esto solucionará la vulnerabilidad de denegación de servicio por agotamiento de CPU. Puede actualizar la dependencia usando npm o yarn.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34043 is a Denial of Service vulnerability in the serialize-javascript Node.js package. A crafted object can cause CPU exhaustion, leading to application hangs.
You are affected if you are using serialize-javascript versions prior to 7.0.5 and your application handles untrusted data during serialization.
Upgrade to serialize-javascript version 7.0.5 or later. Alternatively, implement input validation to prevent the serialization of malicious objects.
There is currently no evidence of active exploitation, but the potential for abuse remains if integrated into other attack vectors.
Refer to the serialize-javascript project's repository or website for the official advisory and release notes.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。