Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
- Severity:
- Medium
Description
What kind of vulnerability is it?
It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted “array-like” object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.
Recommendation
Update the serialize-javascript package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0, < 7.0.5
- Patched version(s): 7.0.5
References
Related Issues
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
You might also like:
- Tags:
- npm
- serialize-javascript
Anything's wrong? Let us know Last updated on May 21, 2026