CVE-2026-33228

Name of the Vulnerable Software and Affected Versions flatted versions prior to 3.4.2

Description flatted is a circular JSON parser. The parse() function does not validate that string values from the parsed JSON used as array index keys are numeric. This allows attacker-controlled strings, such as " proto ", to be used as keys, accessing Array.prototype via the inherited getter. This prototype is then treated as a parsed value and assigned to the output object, leaking a live reference to Array.prototype to the consumer. Subsequent writes to this property can pollute the global prototype chain. The issue resides in the esm/index.js file, specifically within the resolver function, where the input array is accessed using a potentially unsafe key value. The vulnerable code does not ensure that value is a valid numeric index before accessing the input array. This can lead to denial of service or code execution.

Recommendations versions prior to 3.4.2: Upgrade to version 3.4.2 or later to resolve this issue.