CVE-2026-32141

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606	Patch
https://github.com/WebReflection/flatted/pull/88	Issue Tracking Patch
https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f	Exploit Patch Vendor Advisory
https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:webreflection:flatted:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-12 18:16

Updated : 2026-03-19 21:07

NVD link : CVE-2026-32141

Mitre link : CVE-2026-32141

CVE.ORG link : CVE-2026-32141

JSON object : View

Products Affected

webreflection

flatted

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2026-32141", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-12T18:16:25.837", "references": [{"url": "https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WebReflection/flatted/pull/88", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0."}, {"lang": "es", "value": "flatted es un analizador de JSON circular. Antes de la versi\u00f3n 3.4.0, la funci\u00f3n parse() de flatted utiliza una fase recursiva revive() para resolver referencias circulares en JSON deserializado. Cuando se le proporciona una carga \u00fatil manipulada con \u00edndices $ profundamente anidados o autorreferenciales, la profundidad de recursi\u00f3n es ilimitada, causando un desbordamiento de pila que bloquea el proceso de Node.js. Esta vulnerabilidad se ha corregido en la versi\u00f3n 3.4.0."}], "lastModified": "2026-03-19T21:07:24.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:webreflection:flatted:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "767AEF0F-F297-47FE-8BA7-F1B7D7DFB8F0", "versionEndExcluding": "3.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}