Skip to content

serialize-javascript-5.0.1.tgz: 1 vulnerabilities (highest severity is: 5.9) unreachable #1997

Description

@mend-for-github-com
Vulnerable Library - serialize-javascript-5.0.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (serialize-javascript version) Remediation Possible** Reachability
CVE-2026-34043 Medium 5.9 Not Defined 0.472% serialize-javascript-5.0.1.tgz Direct https://github.com/yahoo/serialize-javascript.git - v7.0.5

Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-34043

Vulnerable Library - serialize-javascript-5.0.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • serialize-javascript-5.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

Publish Date: 2026-03-31

URL: CVE-2026-34043

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.472%

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-28

Fix Resolution: https://github.com/yahoo/serialize-javascript.git - v7.0.5

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions