CVE-2026-32141 - Vulnerability Details

- flatted: Unbounded recursion DoS in parse() revive phase

Description

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

Published: 2026-03-12

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an unbounded recursive revive() phase in flatted's parse() function that can cause a stack overflow when parsing JSON objects with deeply nested or self-referential $ indices. The stack overflow crashes the Node.js process, leading to a denial of service. This issue is related to CWE-674 (Uncontrolled Recursion) and CWE-770 (Out-of-Memory Errors).

Affected Systems

WebReflection's flatted package is affected. Any installation using a version older than 3.4.0 is vulnerable. The vulnerability was fixed in flatted 3.4.0. Vendors using node.js environments that rely on flatted in any part of the code base fall into the impact zone.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the delivery of a crafted JSON payload to the parse() function, typically from untrusted input. If the application parses data from external sources without validation, an attacker could trigger the stack overflow and cause a denial of service. The exploit does not require privileged access and can be performed remotely by submitting such payload to the vulnerable function.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WebReflection

flatted

affected

Version	Status	Constraints
`< 3.4.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:webreflection:flatted:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Webreflection

Flatted

100%

Version	Status	Scheme	Platform
`[0,3.4.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade flatted to version 3.4.0 or later.
Avoid parsing untrusted or deeply nested JSON data until the update is applied.
Monitor application logs for unexpected crashes or stack overflows.

Generated by OpenCVE AI on March 19, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-25h7-pfq9-p65f	flatted vulnerable to unbounded recursion DoS in parse() revive phase

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606
https://github.com/WebReflection/flatted/pull/88
https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f
https://nvd.nist.gov/vuln/detail/CVE-2026-32141
https://www.cve.org/CVERecord?id=CVE-2026-32141

History

Thu, 19 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:webreflection:flatted::::::node.js::*

Fri, 13 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-32141 https://www.cve.org/CVERecord?id=CVE-2026-32141
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Webreflection Webreflection flatted
Vendors & Products		Webreflection Webreflection flatted

Thu, 12 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
Title		flatted: Unbounded recursion DoS in parse() revive phase
Weaknesses		CWE-674
References		https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606 https://github.com/WebReflection/flatted/pull/88 https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Webreflection Flatted

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-12T18:08:09.634Z

Updated: 2026-03-13T16:20:19.201Z

Reserved: 2026-03-10T22:19:36.546Z

Link: CVE-2026-32141

Vulnrichment

Updated: 2026-03-13T16:20:10.284Z

NVD

Status : Analyzed

Published: 2026-03-12T18:16:25.837

Modified: 2026-03-19T21:07:24.717

Link: CVE-2026-32141

Redhat

Severity : Important

Publid Date: 2026-03-12T18:08:09Z

Links: CVE-2026-32141 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-20T15:48:38Z

Weaknesses