CVE-2026-32141
Published: 12 March 2026
Summary
CVE-2026-32141 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Webreflection Flatted. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32141 affects the flatted library, a circular JSON parser for Node.js, in versions prior to 3.4.0. The vulnerability stems from the parse() function's recursive revive() phase, which resolves circular references in deserialized JSON. A crafted payload featuring deeply nested or self-referential $ indices triggers unbounded recursion depth, resulting in a stack overflow that crashes the Node.js process. This issue is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
Any unauthenticated remote attacker can exploit this vulnerability by supplying a malicious JSON payload to an application that invokes flatted.parse(). No user interaction or privileges are required, and exploitation is straightforward given the low attack complexity. Successful exploitation leads to a denial-of-service condition, as the targeted Node.js process terminates abruptly, potentially disrupting service availability for affected applications.
The vulnerability is addressed in flatted version 3.4.0. Security advisories and the fix are detailed in the GitHub security advisory GHSA-25h7-pfq9-p65f, pull request #88, and commit 7eb65d857e1a40de11c47461cdbc8541449f0606, which practitioners should review for patch details and upgrade recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11653
Vulnerability details
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is…
more
unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted JSON input to flatted.parse() triggers uncontrolled recursion (CWE-674) and process crash, directly enabling T1499.004 (Application or System Exploitation) for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the unbounded recursion vulnerability in flatted by requiring timely patching to version 3.4.0 or later.
Validates incoming JSON payloads prior to parsing with flatted to reject deeply nested or self-referential structures that trigger stack overflow.
Implements denial-of-service protections such as resource limits and recursion depth controls to mitigate process crashes from crafted payloads.