## Vulnerability Key Information Summary ### Vulnerability Overview | Item | Content | |:---|:---| | **Vulnerability Name** | Denial of Service (CPU Exhaustion) via crafted array-like objects | | **CVE ID** | CVE-2024-34064 | | **Severity** | Moderate (5.9/10) | | **Vulnerability Type** | Denial of Service (DoS) - CPU Exhaustion | | **Discoverer** | Tomer Aberbach (@TomerAberbach) | **Vulnerability Principle**: When serializing a specially crafted "array-like" object (inheriting from `Array.prototype` but with a very large `length` property), the process enters an intensive loop, resulting in 100% CPU usage and indefinite hanging. ### Impact Scope | Item | Content | |:---|:---| | **Affected Package** | `serialize-javascript` (npm) | | **Affected Versions** | < 7.0.5 | | **Secure Versions** | 7.0.5 and above | **High-Risk Scenarios**: - Applications using `serialize-javascript` to serialize untrusted or user-controlled objects - Applications with existing **Prototype Pollution** vulnerabilities - Applications processing untrusted data through YAML deserialization (potentially used to inject malicious objects) ### Remediation Solutions #### Official Fix - **Upgrade to v7.0.5 or higher** Fix method: Replace `instanceof Array` check with `Array.isArray()`, and use `Object.keys()` for sparse array detection. #### Temporary Mitigation Measures (when immediate upgrade is not possible) 1. Validate and sanitize all input passed to the `serialize()` function 2. Ensure the environment is protected against prototype pollution attacks 3. Upgrade to v7.0.5 as soon as possible --- *Note: The page does not contain POC code or exploit code.*