49 matches found
flatted 安全漏洞
Flatted is a lightweight and fast cycle-based JSON parser developed by Andrea Giammarchi. Versions of Flatted prior to 3.4.2 contained a security vulnerability. This vulnerability stemmed from the parse function not verifying whether the string values controlled by the attacker were actually...
org.webjars.npm:file-entry-cache (>=5.0.1 <=6.0.1), org.webjars.npm:flat-cache (>=2.0.1 <=3.0.4) +6 more potentially affected by CVE-2026-33228 via org.webjars.npm:flatted (>=2.0.1 <=3.3.4)
org.webjars.npm:flatted MAVEN version =2.0.1, =5.0.1, =2.0.1, =3.3.1, =0.3.16, =0.2.107, =1.1.13, =0.1.30, =1.7.6, =2.0.2 Source cves: CVE-2026-33228 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15700434...
@ahmttyydn/pre-post-request-scripts (>=1.0.0 <=1.0.9), @alfresco/adf-testing (=6.0.0-A.2-8258) +363 more potentially affected by CVE-2026-33228 via flatted (>=3.0.1 <=3.4.1)
flatted NPM version =3.0.1, =1.0.0, =0.0.2, =1.1.0, =1.0.0, =1.0.0, =0.0.10, =0.0.11, =0.0.4, =1.0.0, =0.0.20, =0.0.19, =1.2.2, =1.5.8 and more Source cves: CVE-2026-33228 Source advisory: SNYK:JS-FLATTED-15700433...
GHSA-RF6F-7FWH-WJGH Prototype Pollution via parse() in NodeJS flatted
--- Summary The parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\proto\" returns Array.prototype via the...
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution via the parse function. An attacker can manipulate the prototype chain by supplying a specially crafted string that causes the returned object to reference Array.prototype, allowing subsequent writes to that property...
Prototype Pollution via parse() in NodeJS flatted
--- Summary The parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\proto\" returns Array.prototype via the...
PT-2026-26465
Name of the Vulnerable Software and Affected Versions flatted versions prior to 3.4.2 Description flatted is a circular JSON parser. The parse function does not validate that string values from the parsed JSON used as array index keys are numeric. This allows attacker-controlled strings, such as ...
Security Bulletin: Due to the use of flatted, IBM DevOps Solution Workbench is affected by a stack overflow that crashes the Node.js process (CVE-2026-32141)
Summary flatted is used internally within IBM DevOps Solution Workbench Vulnerability Details CVEID:CVE-2026-32141 DESCRIPTION: flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given...
-tompan-reacttemplate (>=1.0.1 <=1.1.0), 02_add_lodash (=1.0.0) +18519 more potentially affected by CVE-2026-32141 via flatted (>=0.2.3 <=3.3.4)
flatted NPM version =0.2.3, =1.0.1, =1.0.0, =0.1.0, =1.0.1, =0.1.0, =0.1.2, =0.0.2, =0.0.36 - 6o-vsamaru =1.0.0 and more Source cves: CVE-2026-32141 Source advisory: OSV:GHSA-25H7-PFQ9-P65F...
GHSA-25H7-PFQ9-P65F flatted vulnerable to unbounded recursion DoS in parse() revive phase
Summary flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. Impact...
EUVD-2026-11653
flatted vulnerable to unbounded recursion DoS in parse revive phase...
flatted vulnerable to unbounded recursion DoS in parse() revive phase
Summary flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. Impact...
Linux Distros Unpatched Vulnerability : CVE-2026-32141
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON...
CVE-2026-32141
A denial of service flaw has been discovered in the flatted npm library. flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded,...
@ahmttyydn/pre-post-request-scripts (>=1.0.0 <=1.0.9), @alfresco/adf-testing (=6.0.0-A.2-8258) +360 more potentially affected by CVE-2026-32141 via flatted (>=3.0.1 <=3.3.4)
flatted NPM version =3.0.1, =1.0.0, =0.0.2, =1.1.0, =1.0.0, =1.0.0, =0.0.10, =0.0.11, =0.0.4, =1.0.0, =0.0.20, =0.0.19, =1.2.2, =1.5.8 and more Source cves: CVE-2026-32141 Source advisory: SNYK:JS-FLATTED-15518041...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the parse function due to using a recursive revive phase to resolve circular references in deserialized JSON. An attacker can cause a stack overflow and crash the process by supplying a crafted payload with...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the parse function due to using a recursive revive phase to resolve circular references in deserialized JSON. An attacker can cause a stack overflow and crash the process by supplying a crafted payload with...
org.webjars.npm:file-entry-cache (>=5.0.1 <=6.0.1), org.webjars.npm:flat-cache (>=2.0.1 <=3.0.4) +6 more potentially affected by CVE-2026-32141 via org.webjars.npm:flatted (>=2.0.1 <=3.3.4)
org.webjars.npm:flatted MAVEN version =2.0.1, =5.0.1, =2.0.1, =3.3.1, =0.3.16, =0.2.107, =1.1.13, =0.1.30, =1.7.6, =2.0.2 Source cves: CVE-2026-32141 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15518042...
DEBIAN-CVE-2026-32141
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow...
CVE-2026-32141
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow...