Vulnerability Description
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webreflection | Flatted | < 3.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541Patch
- https://github.com/WebReflection/flatted/pull/88Issue TrackingPatch
- https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65fExploitPatchVendor Advisory
- https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65fExploitPatchVendor Advisory
FAQ
What is CVE-2026-32141?
CVE-2026-32141 is a vulnerability with a CVSS score of 7.5 (HIGH). flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with dee...
How severe is CVE-2026-32141?
CVE-2026-32141 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32141?
Check the references section above for vendor advisories and patch information. Affected products include: Webreflection Flatted.