CVE-2026-33228
Received Received - Intake
Prototype Pollution via Improper Indexing in flatted JSON Parser

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webreflection flatted to 3.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the flatted circular JSON parser prior to version 3.4.2. The parse() function can use attacker-controlled string values from the parsed JSON as direct array index keys without validating that they are numeric.

Because the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object.

As a result, this effectively leaks a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype, potentially causing unexpected behavior or security issues.

This issue was fixed in version 3.4.2 of flatted.


How can this vulnerability impact me? :

This vulnerability can lead to prototype pollution by leaking a live reference to Array.prototype. If an attacker controls the input JSON, they can manipulate the global prototype by writing to the polluted property.

Such prototype pollution can cause unexpected behavior in applications, including security issues like privilege escalation, denial of service, or arbitrary code execution depending on how the polluted prototype is used.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the flatted package to version 3.4.2 or later, where the issue has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart