CVE-2026-32141
HIGHflatted < 3.4.0 - Denial of Service via Uncontrolled Recursion in parse() Function
Title source: llmDescription
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f
Issue Tracking x_refsource_misc
https://github.com/WebReflection/flatted/pull/88
Scores
CVSS v3
7.5
EPSS
0.0056
EPSS Percentile
41.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-674
Status
published
Products (3)
npm/flatted
0 - 3.4.0npm
webreflection/flatted
< 3.4.0
WebReflection/flatted
< 3.4.0
Published
Mar 12, 2026
Tracked Since
Mar 13, 2026