CVE
CVE-2026-32141
flatted: Unbounded recursion DoS in parse() revive phase
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
-
Related Resources
No items found.
References
https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32141.json, https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f, https://nvd.nist.gov/vuln/detail/CVE-2026-32141, https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606, https://github.com/WebReflection/flatted/pull/88
Basic Information
Ecosystem
