CVE-2026-32141

{"id": "CVE-2026-32141", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-12T18:16:25.837", "references": [{"url": "https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WebReflection/flatted/pull/88", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0."}, {"lang": "es", "value": "flatted es un analizador de JSON circular. Antes de la versi\u00f3n 3.4.0, la funci\u00f3n parse() de flatted utiliza una fase recursiva revive() para resolver referencias circulares en JSON deserializado. Cuando se le proporciona una carga \u00fatil manipulada con \u00edndices $ profundamente anidados o autorreferenciales, la profundidad de recursi\u00f3n es ilimitada, causando un desbordamiento de pila que bloquea el proceso de Node.js. Esta vulnerabilidad se ha corregido en la versi\u00f3n 3.4.0."}], "lastModified": "2026-03-19T21:07:24.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:webreflection:flatted:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "767AEF0F-F297-47FE-8BA7-F1B7D7DFB8F0", "versionEndExcluding": "3.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}