Platform
nodejs
Component
flatted
Opgelost in
3.4.1
3.4.0
CVE-2026-32141 affects the flatted Node.js library, a popular circular JSON serialization layer. The vulnerability stems from an unbounded recursive call within the parse() function when handling crafted JSON payloads with deeply nested or self-referential $ indices. This leads to a stack overflow, resulting in a Denial of Service (DoS). Applications utilizing flatted.parse() with untrusted input are vulnerable, particularly those with high traffic or critical functionality, and the fix is available in version 3.4.0.
The primary impact of CVE-2026-32141 is a Denial of Service. An unauthenticated attacker can trigger a crash in the Node.js process by sending a specially crafted JSON payload to the flatted.parse() function. Given flatted's widespread use (~87M weekly npm downloads) and integration into numerous caching and logging libraries, the potential blast radius is significant. A successful attack could disrupt services relying on these libraries, leading to application downtime and potential data unavailability. The ease of exploitation – a single request is sufficient – further elevates the risk. This vulnerability shares similarities with other stack overflow vulnerabilities where deeply nested data structures can overwhelm system resources.
CVE-2026-32141 was published on 2026-03-13. Its severity is rated as HIGH with a CVSS score of 7.5. There is currently no indication of active exploitation campaigns targeting this vulnerability. Public Proof-of-Concept (POC) code is likely to emerge given the vulnerability's ease of exploitation and the library's popularity. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term, but this could change rapidly with the release of POCs.
Exploit Status
EPSS
0.01% (3% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-32141 is to upgrade to version 3.4.0 or later of the flatted library. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing input validation to prevent deeply nested or self-referential JSON structures from being passed to flatted.parse(). WAF rules could be configured to block requests containing suspicious JSON patterns. While not a complete solution, rate limiting can help mitigate the impact of a DoS attack by limiting the number of requests from a single source. After upgrading, confirm the fix by sending a known malicious payload (from public vulnerability reports) to flatted.parse() and verifying that it no longer triggers a crash.
Actualiseer de flatted bibliotheek naar versie 3.4.0 of hoger. Dit corrigeert de onbeperkte recursie kwetsbaarheid in de parse() functie die een denial of service kan veroorzaken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a Denial of Service (DoS) vulnerability in the flatted Node.js library, caused by unbounded recursion when parsing crafted JSON.
If you're using flatted in your Node.js application and haven't upgraded to version 3.4.0 or later, you are potentially vulnerable.
Upgrade to version 3.4.0 or later of the flatted library. If upgrading isn't possible immediately, implement input validation to restrict complex JSON structures.
Currently, there's no evidence of active exploitation, but public POCs are likely to appear, increasing the risk.
Refer to the official CVE entry on the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2026-32141) and the flatted project's repository for updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.