Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (1)
| Vulnerability |
Summary |
Aliases |
|
VCID-vn8z-q24d-57bu
|
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
### Impact
**What kind of vulnerability is it?**
It is a **Denial of Service (DoS)** vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from `Array.prototype` but has a very large `length` property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.
**Who is impacted?**
Applications that use `serialize-javascript` to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to **Prototype Pollution** or handles untrusted data via **YAML Deserialization**, as these could be used to inject the malicious object.
### Patches
**Has the problem been patched?**
Yes, the issue has been patched by replacing `instanceof Array` checks with `Array.isArray()` and using `Object.keys()` for sparse array detection.
**What versions should users upgrade to?**
Users should upgrade to **`v7.0.5`** or later.
### Workarounds
**Is there a way for users to fix or remediate the vulnerability without upgrading?**
There is no direct code-level workaround within the library itself. However, users can mitigate the risk by:
* Validating and sanitizing all input before passing it to the `serialize()` function.
* Ensuring the environment is protected against Prototype Pollution.
* Upgrading to **`v7.0.5`** as soon as possible.
### Acknowledgements
Serialize JavaScript thanks **Tomer Aberbach** (@TomerAberbach) for discovering and privately disclosing this issue.
|
CVE-2026-34043
GHSA-qj8w-gfj5-8c6v
|