VYPR

npm package

flatted

pkg:npm/flatted

Vulnerabilities (2)

  • CVE-2026-33228Mar 20, 2026
    affected < 3.4.2fixed 3.4.2

    flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, a

  • CVE-2026-32141Mar 12, 2026
    affected < 3.4.0fixed 3.4.0

    flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, caus