CVE-2026-33228

Flatted (JSON circular parser) is affected. Prior to 3.4.2, its parse() could treat attacker-controlled string values as direct array index keys, and using the key proto on the internal Array could expose Array.prototype to the output, enabling prototype pollution. The issue has been patched in v...

CVE-2026-32141

A denial of service flaw has been discovered in the flatted npm library. flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded,...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the parse function due to using a recursive revive phase to resolve circular references in deserialized JSON. An attacker can cause a stack overflow and crash the process by supplying a crafted payload with...

DEBIAN-CVE-2026-32141

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow...

CVE-2026-32141 flatted: Unbounded recursion DoS in parse() revive phase

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow...