CVE-2026-33228
Received Received - Intake
Prototype Pollution via Improper Indexing in flatted JSON Parser

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webreflection flatted to 3.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the flatted circular JSON parser prior to version 3.4.2. The parse() function can use attacker-controlled string values from the parsed JSON as direct array index keys without validating that they are numeric.

Because the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object.

As a result, this effectively leaks a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype, potentially causing unexpected behavior or security issues.

This issue was fixed in version 3.4.2 of flatted.

Impact Analysis

This vulnerability can lead to prototype pollution by leaking a live reference to Array.prototype. If an attacker controls the input JSON, they can manipulate the global prototype by writing to the polluted property.

Such prototype pollution can cause unexpected behavior in applications, including security issues like privilege escalation, denial of service, or arbitrary code execution depending on how the polluted prototype is used.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the flatted package to version 3.4.2 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart