Executive Summary

CVE-2026-32141 is a vulnerability in the flatted JavaScript library, which is used to parse JSON data with circular references. Before version 3.4.0, the parse() function used a recursive method called revive() to resolve these circular references.

When given a specially crafted JSON payload with deeply nested or self-referential indices, this recursion could become unbounded, causing a stack overflow that crashes the Node.js process running the code.

The issue arises because the recursive approach does not limit the depth of recursion, leading to exhaustion of the call stack.

The vulnerability was fixed by replacing the recursive revive() function with an iterative resolver function that processes references lazily and avoids deep recursion, preventing stack overflow crashes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited remotely by an unauthenticated attacker who sends a maliciously crafted JSON payload to an application using flatted.parse() on untrusted input.

Exploitation causes a stack overflow due to unbounded recursion, crashing the Node.js process and resulting in a denial of service (DoS).

Because flatted is widely used in caching and logging libraries with millions of weekly downloads, many applications could be affected if they parse untrusted input with vulnerable versions.

• Denial of Service by crashing the application process.
• Potential application instability or downtime.
• No direct impact on confidentiality or integrity, but availability is severely affected.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by observing crashes or stack overflow errors in Node.js processes that use the flatted library's parse() function when processing JSON input with deeply nested or self-referential $ indices."}, {'type': 'paragraph', 'content': 'A proof of concept involves creating a deeply nested circular reference chain (e.g., depth of 20,000) that triggers a RangeError: Maximum call stack size exceeded during parsing.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or the vulnerability, monitor logs for such stack overflow errors or crashes related to flatted.parse().'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': "Check Node.js application logs for errors like 'RangeError: Maximum call stack size exceeded' related to flatted.parse()."}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusually large or deeply nested JSON payloads sent to services using flatted.'}, {'type': 'list_item', 'content': 'Run test scripts that attempt to parse crafted deeply nested or cyclic JSON payloads using flatted.parse() to observe if crashes occur.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the flatted library to version 3.4.0 or later, where the vulnerability is fixed by replacing the recursive revive() function with an iterative resolver approach.

This update prevents unbounded recursion and stack overflow crashes when parsing deeply nested or cyclic JSON structures.

Additionally, avoid parsing untrusted or maliciously crafted JSON payloads with vulnerable versions of flatted.

If upgrading immediately is not possible, consider implementing input validation or limiting the depth and complexity of JSON inputs before parsing.

Useful 0 Not Useful 0