Description
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Published: 2026-03-20
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution
Action: Patch Now
AI Analysis

Impact

The vulnerability resides in the parse() function of the flatted library, which accepts attacker‑controlled string values from the JSON payload as array index keys without validating that they are numeric. When a value such as "__proto__" is used, the JavaScript runtime resolves it to the Array prototype, which is then assigned as a property of the parsed object. This exposes a live reference to Array.prototype, allowing an attacker to modify the global prototype chain and, consequently, to tamper with any code that relies on array behavior or to execute arbitrary logic. The weakness is a classic prototype‑pollution flaw (CWE‑1321) combined with improper handling of prototype references (CWE‑915).

Affected Systems

The issue affects the WebReflection flatted package for Node.js, specifically all releases prior to version 3.4.2. Applications that import flatted and deserialize user‑supplied JSON, such as browsers, backend services, or any tooling that relies on this library, are potentially vulnerable until they upgrade to 3.4.2 or later.

Risk and Exploitability

Because the vulnerability is directly triggered by an attacker‑controlled JSON document, exploitation requires the ability to supply malicious input to parse(). The CVSS score of 8.9 classifies it as high severity, while the EPSS score of less than 1 % indicates a low probability of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploitation. However, prototype pollution can lead to subtle compromise or denial of service, so the risk is notable, especially in critical services that rely on parsed JSON.

Generated by OpenCVE AI on March 26, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade flatted to version 3.4.2 or later.
  • Ensure that any JSON data parsed with flatted originates from trusted sources or is validated before parsing.
  • Review application code for places where parsed objects may be stored or used in a way that can be manipulated through prototype pollution.
  • Monitor for future advisories or updates from WebReflection regarding flatted.

Generated by OpenCVE AI on March 26, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted
History

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Critical

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:webreflection:flatted:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Webreflection
Webreflection flatted
Vendors & Products Webreflection
Webreflection flatted

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Title flatted: Prototype Pollution via parse()
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Webreflection Flatted
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:57:22.866Z

Reserved: 2026-03-18T02:42:27.507Z

Link: CVE-2026-33228

cve-icon Vulnrichment

Updated: 2026-03-24T17:57:13.490Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:46.510

Modified: 2026-03-23T19:14:31.040

Link: CVE-2026-33228

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-20T23:06:48Z

Links: CVE-2026-33228 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:28Z

Weaknesses