PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32141 WebReflection CVE debrief

CVE-2026-32141 is a vulnerability in the Flatted circular JSON parser, which can lead to a stack overflow and crash the Node.js process. The vulnerability is caused by an unbounded recursion depth in the parse() function's revive() phase when given a crafted payload with deeply nested or self-referential $ indices. This issue was fixed in version 3.4.0. Users of Flatted prior to 3.4.0 are advised to upgrade to the latest version. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVE was published on March 12, 2026, and modified on June 30, 2026.

Vendor
WebReflection
Product
flatted
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-12
Original CVE updated
2026-06-30
Advisory published
2026-03-12
Advisory updated
2026-06-30

Who should care

Developers and administrators using the Flatted library in their Node.js applications should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 3.4.0 or later, and reviewing their applications for potential exposure. Additionally, users of Red Hat products may be affected, as indicated by the presence of several Red Hat errata references.

Technical summary

The Flatted library is a circular JSON parser for Node.js. Prior to version 3.4.0, the library's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. However, when given a crafted payload with deeply nested or self-referential $ indices, the recursion depth becomes unbounded, leading to a stack overflow that crashes the Node.js process. This vulnerability can be exploited by an attacker to cause a denial-of-service (DoS) attack. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The issue was addressed in version 3.4.0.

Defensive priority

This vulnerability has a high severity score and can be exploited to cause a denial-of-service (DoS) attack. Therefore, it is essential to prioritize mitigation efforts, especially for applications that use the Flatted library in a production environment.

Recommended defensive actions

  • Upgrade to Flatted version 3.4.0 or later
  • Review applications for potential exposure and test for vulnerability
  • Apply patches or updates provided by vendors, such as Red Hat
  • Monitor applications for suspicious activity
  • Consider implementing additional security measures, such as input validation and error handling

Evidence notes

The CVE-2026-32141 vulnerability was published on March 12, 2026, and modified on June 30, 2026. The vulnerability is caused by an issue in the Flatted library, which is used for parsing circular JSON in Node.js applications. Several sources, including the NVD and Red Hat, have documented this vulnerability and provided guidance on mitigation.

Official resources

This article is AI-assisted and based on the supplied source corpus.