プラットフォーム
nodejs
コンポーネント
flatted
修正版
3.4.3
3.4.2
CVE-2026-33228 describes a prototype pollution vulnerability discovered in the flatted library. This flaw allows attackers to inject malicious JSON data that can directly modify the global prototype, potentially leading to arbitrary code execution. The vulnerability affects versions of flatted prior to 3.4.2, and a fix has been released. Promptly updating to the patched version is crucial to prevent exploitation.
The core of this vulnerability lies in the parse() function's mishandling of attacker-controlled string values. When parsing JSON, the function uses these values as direct array index keys without proper validation. By crafting a malicious JSON payload containing the key proto, an attacker can gain control over the prototype chain of the parsed object. This allows them to inject arbitrary properties and methods into Array.prototype, effectively polluting the global scope. Subsequent code that relies on the modified Array.prototype will inherit these malicious properties, potentially leading to unexpected behavior, denial of service, or even remote code execution. This is similar to other prototype pollution vulnerabilities, but the direct access to Array.prototype amplifies the potential impact.
This vulnerability was publicly disclosed on 2026-03-19. Currently, there are no known active campaigns targeting this specific CVE. While no public proof-of-concept (PoC) exploits have been widely released, the ease of crafting a malicious payload suggests that exploitation is likely. The vulnerability is not currently listed on the CISA KEV catalog. The potential for remote code execution makes this a high-priority vulnerability to address.
Applications that utilize the flatted library for JSON parsing, particularly those handling untrusted input, are at risk. Node.js projects, especially those relying on flatted as a dependency, are directly affected. Development environments and continuous integration pipelines using vulnerable versions of flatted are also potential targets.
• nodejs / server:
# Check for vulnerable flatted versions
npm list flatted• nodejs / server:
# Inspect flatted module in node_modules for suspicious code
find node_modules/flatted -name '*.js' -print0 | xargs -0 grep -i '__proto__' • generic web:
# Check for unusual properties on Array.prototype in running applications
# (Requires access to application code or debugging tools)
console.log(Array.prototype);disclosure
エクスプロイト状況
EPSS
0.03% (10% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-33228 is to upgrade to flatted version 3.4.2 or later. This version includes a fix that properly validates array index keys during the parsing process, preventing the prototype pollution attack. If upgrading immediately is not feasible, consider implementing input validation on the JSON data being parsed by flatted. Strictly enforce that keys are numeric or adhere to a predefined whitelist. Additionally, consider using a Web Application Firewall (WAF) to filter out malicious JSON payloads containing proto or other suspicious keys. After upgrading, confirm the fix by attempting to parse a malicious JSON payload containing proto and verifying that it no longer modifies the global prototype.
Actualice la biblioteca flatted a la versión 3.4.2 o superior. Esto solucionará la vulnerabilidad de Prototype Pollution. Puede actualizar usando npm o yarn.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33228 is a high-severity prototype pollution vulnerability in the flatted library, allowing attackers to manipulate the global prototype via malicious JSON input.
You are affected if you are using flatted versions prior to 3.4.2 and are processing untrusted JSON data.
Upgrade to flatted version 3.4.2 or later. Implement input validation on JSON data if immediate upgrade is not possible.
While no active campaigns are currently known, the vulnerability's ease of exploitation suggests it is likely to be targeted.
Refer to the flatted project's repository or website for the official advisory and release notes regarding this vulnerability.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。