Cyber Resilience

CVE-2026-32141

HighPublic PoCDDoS

Published: 12 March 2026

Published
12 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32141 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Webreflection Flatted. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32141 affects the flatted library, a circular JSON parser for Node.js, in versions prior to 3.4.0. The vulnerability stems from the parse() function's recursive revive() phase, which resolves circular references in deserialized JSON. A crafted payload featuring deeply nested or self-referential $ indices triggers unbounded recursion depth, resulting in a stack overflow that crashes the Node.js process. This issue is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Any unauthenticated remote attacker can exploit this vulnerability by supplying a malicious JSON payload to an application that invokes flatted.parse(). No user interaction or privileges are required, and exploitation is straightforward given the low attack complexity. Successful exploitation leads to a denial-of-service condition, as the targeted Node.js process terminates abruptly, potentially disrupting service availability for affected applications.

The vulnerability is addressed in flatted version 3.4.0. Security advisories and the fix are detailed in the GitHub security advisory GHSA-25h7-pfq9-p65f, pull request #88, and commit 7eb65d857e1a40de11c47461cdbc8541449f0606, which practitioners should review for patch details and upgrade recommendations.

EU & UK References

Vulnerability details

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is…

more

unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Crafted JSON input to flatted.parse() triggers uncontrolled recursion (CWE-674) and process crash, directly enabling T1499.004 (Application or System Exploitation) for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33228Same product: Webreflection Flatted
CVE-2026-34211Shared CWE-674
CVE-2026-39376Shared CWE-674
CVE-2026-44289Shared CWE-674
CVE-2026-32944Shared CWE-674
CVE-2025-70957Shared CWE-674
CVE-2026-32933Shared CWE-674
CVE-2024-8176Shared CWE-674
CVE-2026-33498Shared CWE-674
CVE-2026-42039Shared CWE-674

Affected Assets

webreflection
flatted
≤ 3.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the unbounded recursion vulnerability in flatted by requiring timely patching to version 3.4.0 or later.

prevent

Validates incoming JSON payloads prior to parsing with flatted to reject deeply nested or self-referential structures that trigger stack overflow.

prevent

Implements denial-of-service protections such as resource limits and recursion depth controls to mitigate process crashes from crafted payloads.

References