CVE-2026-33228
Published: 20 March 2026
Summary
CVE-2026-33228 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Webreflection Flatted. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of attacker-controlled JSON string keys to ensure they are numeric before using as array indices, directly preventing the prototype pollution via '__proto__'.
Mandates timely identification, reporting, and correction of flaws by upgrading flatted to version 3.4.2 or later, which patches the vulnerability.
Provides vulnerability scanning to identify systems using vulnerable versions of the flatted library affected by this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of public-facing apps (T1190) via crafted JSON leading to prototype pollution and RCE in JS runtimes (T1059.007).
NVD Description
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer…
more
is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Deeper analysisAI
CVE-2026-33228 is a prototype pollution vulnerability in the flatted JavaScript library, a circular JSON parser, affecting versions prior to 3.4.2. The issue arises in the parse() function, which uses attacker-controlled string values from the parsed JSON as direct array index keys without validating that they are numeric. When the internal input buffer—a JavaScript Array—is accessed with the key "__proto__", it returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, leaking a live reference to Array.prototype to the consumer application.
An attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as indicated by the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting a malicious JSON string containing "__proto__" as a key, the attacker tricks the parser into polluting the prototype chain. If the consuming code subsequently writes properties to this leaked reference, it modifies the global Array.prototype, potentially leading to remote code execution, denial of service, or arbitrary code manipulation depending on the application's logic and further exploitation chains.
The vulnerability, classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), has been patched in flatted version 3.4.2. Security practitioners should upgrade to this version or later. Relevant resources include the patch commit at https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802, the release announcement at https://github.com/WebReflection/flatted/releases/tag/v3.4.2, and the GitHub security advisory at https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh.
Details
- CWE(s)