Bug 2453284 (CVE-2026-34043) - CVE-2026-34043 serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization
Summary: CVE-2026-34043 serialize-javascript: serialize-javascript: Denial of Service ...
Keywords:
Status: NEW
Alias: CVE-2026-34043
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2453938 2453939 2453940 2453941 2453942 2453943 2453944 2453945 2453946 2453947 2453948 2453949 2453950
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-31 03:02 UTC by OSIDB Bzimport
Modified: 2026-04-01 18:38 UTC (History)
104 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-31 03:02:30 UTC 
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Note You need to log in before you can comment on or make changes to this bug.