High severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026
flatted: Unbounded recursion DoS in parse() revive phase
CVE-2026-32141
Description
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flattednpm | < 3.4.0 | 3.4.0 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/arangodb-3.11pkg:apk/chainguard/argo-workflows-ui-3.6pkg:apk/chainguard/eslintpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/prismpkg:apk/chainguard/renovatepkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/wolfi/eslintpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/prismpkg:apk/wolfi/renovatepkg:apk/wolfi/tileserver-glpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/flatted
< 3.11.14.3-r4+ 21 more
- (no CPE)range: < 3.11.14.3-r4
- (no CPE)range: < 3.6.19-r4
- (no CPE)range: < 10.1.0-r0
- (no CPE)range: < 2.95.12-r16
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 2.95.12-r19
- (no CPE)range: < 3.162.0-r1
- (no CPE)range: < 0.8.4-r3
- (no CPE)range: < 5.14.3-r10
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 5.5.0-r8
- (no CPE)range: < 5.5.0-r9
- (no CPE)range: < 22.0.4-r6
- (no CPE)range: < 23.0.3-r7
- (no CPE)range: < 10.1.0-r0
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 5.14.3-r10
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 5.5.0-r8
- (no CPE)range: < 22.0.4-r6
- (no CPE)range: < 23.0.3-r7
- (no CPE)range: < 3.4.0
- WebReflection/flattedv5Range: < 3.4.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-25h7-pfq9-p65fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32141ghsaADVISORY
- github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606ghsax_refsource_MISCWEB
- github.com/WebReflection/flatted/pull/88ghsax_refsource_MISCWEB
- github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.