Cyber Posture

CVE-2026-32141

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32141 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Webreflection Flatted. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CP-7 Alternate Processing Site
addresses: CWE-674

Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.

SC-5 Denial-of-service Protection
addresses: CWE-674

Prevents uncontrolled recursion that exhausts stack or CPU resources.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Crafted JSON input to flatted.parse() triggers uncontrolled recursion (CWE-674) and process crash, directly enabling T1499.004 (Application or System Exploitation) for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is…

more

unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

Deeper analysisAI

CVE-2026-32141 affects the flatted library, a circular JSON parser for Node.js, in versions prior to 3.4.0. The vulnerability stems from the parse() function's recursive revive() phase, which resolves circular references in deserialized JSON. A crafted payload featuring deeply nested or self-referential $ indices triggers unbounded recursion depth, resulting in a stack overflow that crashes the Node.js process. This issue is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Any unauthenticated remote attacker can exploit this vulnerability by supplying a malicious JSON payload to an application that invokes flatted.parse(). No user interaction or privileges are required, and exploitation is straightforward given the low attack complexity. Successful exploitation leads to a denial-of-service condition, as the targeted Node.js process terminates abruptly, potentially disrupting service availability for affected applications.

The vulnerability is addressed in flatted version 3.4.0. Security advisories and the fix are detailed in the GitHub security advisory GHSA-25h7-pfq9-p65f, pull request #88, and commit 7eb65d857e1a40de11c47461cdbc8541449f0606, which practitioners should review for patch details and upgrade recommendations.

Details

CWE(s)
CWE-674

Affected Products

webreflection
flatted
≤ 3.4.0

CVEs Like This One

CVE-2026-33228Same product: Webreflection Flatted
CVE-2026-33908Shared CWE-674
CVE-2026-25048Shared CWE-674
CVE-2026-41636Shared CWE-674
CVE-2026-32944Shared CWE-674
CVE-2026-39376Shared CWE-674
CVE-2026-33498Shared CWE-674
CVE-2024-8176Shared CWE-674
CVE-2026-30922Shared CWE-674
CVE-2026-1849Shared CWE-674

References