CVE-2026-34043 Overview
CVE-2026-34043 is a Denial of Service (DoS) vulnerability affecting the serialize-javascript library, which serializes JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, the library is vulnerable to CPU exhaustion when processing specially crafted "array-like" objects. When serializing an object that inherits from Array.prototype but has a very large length property, the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.
Critical Impact
Applications using vulnerable versions of serialize-javascript can be rendered completely unresponsive when processing malicious input, leading to service disruption and potential cascading failures in dependent systems.
Affected Products
- serialize-javascript versions prior to 7.0.5
- Applications and build tools using serialize-javascript for data serialization
- Node.js applications processing untrusted serialized data
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34043 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34043
Vulnerability Analysis
This vulnerability falls under CWE-400 (Uncontrolled Resource Consumption). The root issue lies in how the serialization logic determines whether an array is sparse. The vulnerable code path triggers when an attacker provides a malicious object that inherits from Array.prototype but has an artificially inflated length property, causing the serializer to enter a computationally expensive loop.
The attack can be executed over the network by any unauthenticated attacker who can supply input that gets serialized by the affected library. Successful exploitation results in complete denial of service through CPU exhaustion, with the affected process becoming unresponsive.
Root Cause
The vulnerability stems from the use of instanceof Array for type checking combined with an inefficient sparse array detection mechanism. The original code used the filter() method to count actual elements, which iterates based on the array's length property. When a malicious object with an extremely large length value (such as Number.MAX_SAFE_INTEGER) is passed, this creates an effectively infinite loop that exhausts CPU resources.
Attack Vector
An attacker can exploit this vulnerability by crafting a JavaScript object that:
- Inherits from Array.prototype (passing the instanceof Array check)
- Contains an extremely large length property value
- Is passed to the serialize() function either directly or through application input
When the vulnerable code attempts to determine if this object is a sparse array, it enters a loop bounded by the malicious length value, causing CPU exhaustion.
return '@__S-' + UID + '-' + (sets.push(origValue) - 1) + '__@';
}
- if(origValue instanceof Array) {
- var isSparse = origValue.filter(function(){return true}).length !== origValue.length;
+ if(Array.isArray(origValue)) {
+ var isSparse = Object.keys(origValue).length !== origValue.length;
if (isSparse) {
return '@__A-' + UID + '-' + (arrays.push(origValue) - 1) + '__@';
}
Source: GitHub Commit Update
The patch addresses this vulnerability by replacing instanceof Array with Array.isArray() for more accurate type checking, and by using Object.keys(origValue).length instead of filter() to count actual elements. This prevents malicious objects with inflated length properties from triggering the expensive iteration.
Detection Methods for CVE-2026-34043
Indicators of Compromise
- Sudden CPU spikes reaching 100% utilization in Node.js processes
- Application or service hangs with no response to requests
- Event loop blocking detected in Node.js process monitoring
- Memory allocation patterns indicating infinite loop behavior
Detection Strategies
- Monitor Node.js processes for sustained high CPU usage without corresponding request throughput
- Implement request timeout mechanisms to detect hanging serialization operations
- Use application performance monitoring (APM) to identify anomalous serialization durations
- Deploy SentinelOne's behavioral detection to identify resource exhaustion patterns
Monitoring Recommendations
- Set up alerting for CPU utilization exceeding normal thresholds on application servers
- Implement distributed tracing to identify stuck serialization calls
- Monitor application response times for degradation indicating DoS conditions
- Use SentinelOne Singularity platform for real-time threat detection and response
How to Mitigate CVE-2026-34043
Immediate Actions Required
- Upgrade serialize-javascript to version 7.0.5 or later immediately
- Audit application dependencies using npm audit or yarn audit
- Review any code paths that pass untrusted input to serialization functions
- Implement input validation to reject objects with abnormally large length properties
Patch Information
The vulnerability has been patched in serialize-javascript version 7.0.5. The fix (commit f147e90269b58bb6e539cfdf3d0e20d6ad14204b) modifies the array type checking and sparse detection logic to prevent exploitation. Organizations should update immediately by modifying their package.json or running the appropriate package manager update command.
For detailed information, see the GitHub Security Advisory GHSA-qj8w-gfj5-8c6v and the GitHub Release v7.0.5.
Workarounds
- Validate input objects before serialization to ensure length properties are within acceptable bounds
- Implement request timeouts to prevent indefinite hangs from impacting entire services
- Use worker threads or separate processes for serialization to isolate potential DoS impact
- Apply input sanitization at API boundaries to reject suspicious array-like objects
# Update serialize-javascript to patched version
npm update serialize-javascript@7.0.5
# Verify installed version
npm list serialize-javascript
# Run security audit to check for other vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
