CVE-2026-32141

HIGH

flatted <3.4.0 - Deserialization

Title source: llm

Description

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

References (3)

[Vendor Advisory] https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f

[Issue Tracking] https://github.com/WebReflection/flatted/pull/88

[Patch] https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 5.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (3)

npm/flatted 0 - 3.4.0npm

webreflection/flatted < 3.4.0

WebReflection/flatted < 3.4.0

Published Mar 12, 2026

Tracked Since Mar 13, 2026