CVE-2026-32141

Name of the Vulnerable Software and Affected Versions flatted versions prior to 3.4.0

Description flatted is a circular JSON parser. The parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When provided with a crafted payload containing deeply nested or self-referential $ indices, the recursion depth becomes unbounded, leading to a stack overflow and crashing the Node.js process. This can result in a Denial of Service (DoS). The software has approximately 87 million weekly npm downloads and is used in many caching and logging libraries. The issue is triggered by passing untrusted input to the flatted.parse() function. A proof of concept demonstrates building a deeply nested circular reference chain to cause a stack overflow. The vulnerable component is the parse() function, which utilizes the revive() function.

Recommendations Versions prior to 3.4.0 should be updated to version 3.4.0 or later.