VYPR
High severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026

flatted: Unbounded recursion DoS in parse() revive phase

CVE-2026-32141

Description

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
flattednpm
< 3.4.03.4.0

Affected products

23

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.