CVE-2026-33228
Modified Modified - Updated After Analysis

Prototype Pollution via Improper Indexing in flatted JSON Parser

Vulnerability report for CVE-2026-33228, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-20

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-20
Last Modified
2026-07-02
Generated
2026-07-06
AI Q&A
2026-03-21
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
webreflection flatted to 3.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the flatted circular JSON parser prior to version 3.4.2. The parse() function can use attacker-controlled string values from the parsed JSON as direct array index keys without validating that they are numeric.

Because the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object.

As a result, this effectively leaks a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype, potentially causing unexpected behavior or security issues.

This issue was fixed in version 3.4.2 of flatted.

Impact Analysis

This vulnerability can lead to prototype pollution by leaking a live reference to Array.prototype. If an attacker controls the input JSON, they can manipulate the global prototype by writing to the polluted property.

Such prototype pollution can cause unexpected behavior in applications, including security issues like privilege escalation, denial of service, or arbitrary code execution depending on how the polluted prototype is used.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the flatted package to version 3.4.2 or later, where the issue has been patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart