PatchSiren cyber security CVE debrief
CVE-2026-32141 WebReflection CVE debrief
CVE-2026-32141 is a vulnerability in the Flatted circular JSON parser, which can lead to a stack overflow and crash the Node.js process. The vulnerability is caused by an unbounded recursion depth in the parse() function's revive() phase when given a crafted payload with deeply nested or self-referential $ indices. This issue was fixed in version 3.4.0. Users of Flatted prior to 3.4.0 are advised to upgrade to the latest version. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVE was published on March 12, 2026, and modified on June 30, 2026.
- Vendor
- WebReflection
- Product
- flatted
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-12
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-12
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the Flatted library in their Node.js applications should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 3.4.0 or later, and reviewing their applications for potential exposure. Additionally, users of Red Hat products may be affected, as indicated by the presence of several Red Hat errata references.
Technical summary
The Flatted library is a circular JSON parser for Node.js. Prior to version 3.4.0, the library's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. However, when given a crafted payload with deeply nested or self-referential $ indices, the recursion depth becomes unbounded, leading to a stack overflow that crashes the Node.js process. This vulnerability can be exploited by an attacker to cause a denial-of-service (DoS) attack. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The issue was addressed in version 3.4.0.
Defensive priority
This vulnerability has a high severity score and can be exploited to cause a denial-of-service (DoS) attack. Therefore, it is essential to prioritize mitigation efforts, especially for applications that use the Flatted library in a production environment.
Recommended defensive actions
- Upgrade to Flatted version 3.4.0 or later
- Review applications for potential exposure and test for vulnerability
- Apply patches or updates provided by vendors, such as Red Hat
- Monitor applications for suspicious activity
- Consider implementing additional security measures, such as input validation and error handling
Evidence notes
The CVE-2026-32141 vulnerability was published on March 12, 2026, and modified on June 30, 2026. The vulnerability is caused by an issue in the Flatted library, which is used for parsing circular JSON in Node.js applications. Several sources, including the NVD and Red Hat, have documented this vulnerability and provided guidance on mitigation.
Official resources
-
CVE-2026-32141 CVE record
CVE.org
-
CVE-2026-32141 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.