Description

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

INFO

Published Date :

2026-03-12T18:08:09.634Z

Last Modified :

2026-03-13T16:20:19.201Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32141 vulnerability.

Vendors Products
Webreflection
  • Flatted
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32141.

URL Resource
https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606 cve-icon cve-icon cve-icon
https://github.com/WebReflection/flatted/pull/88 cve-icon cve-icon cve-icon
https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-32141 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-32141 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact