CVE-2026-32141
📋 TL;DR
CVE-2026-32141 is a stack overflow vulnerability in flatted's parse() function that allows attackers to crash Node.js applications by providing maliciously crafted JSON payloads with deeply nested circular references. This affects any application using flatted versions before 3.4.0 for JSON parsing, particularly web services and APIs that accept user-controlled JSON input.
💻 Affected Systems
- flatted
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service causing Node.js process crashes, potentially leading to service unavailability and requiring manual restart of affected applications.
Likely Case
Service disruption through process crashes when malicious payloads are processed, requiring application restarts and potentially causing data loss in in-memory states.
If Mitigated
Minimal impact with proper input validation and rate limiting, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Proof of concept is available in the GitHub advisory. Exploitation requires sending a crafted JSON payload to an endpoint using flatted's parse() function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.0
Vendor Advisory: https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f
Restart Required: Yes
Instructions:
1. Update flatted dependency to version 3.4.0 or later. 2. Run 'npm update flatted' or 'yarn upgrade flatted'. 3. Restart all Node.js applications using the updated library. 4. Test application functionality to ensure compatibility.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject JSON payloads with excessive nesting depth or suspicious circular reference patterns before they reach flatted's parse() function.
Rate Limiting and Request Filtering
allDeploy rate limiting on endpoints accepting JSON input and implement WAF rules to block payloads with excessive nesting or circular reference patterns.
🧯 If You Can't Patch
- Implement application-level input validation to detect and reject deeply nested JSON structures before parsing
- Deploy the application behind a web application firewall (WAF) configured to block malicious JSON payloads
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for flatted version. If version is below 3.4.0, the application is vulnerable.Check Version:
npm list flatted | grep flatted OR check package.json for "flatted" versionVerify Fix Applied:
Verify flatted version is 3.4.0 or higher in package.json and test that the application can handle normal JSON parsing without issues.📡 Detection & Monitoring
Log Indicators:
- Node.js process crashes with stack overflow errors
- Unusual memory consumption spikes before crashes
- Failed JSON parsing attempts with large nested payloads
Network Indicators:
- Incoming requests with unusually large JSON payloads
- Repeated requests to JSON parsing endpoints from single sources
SIEM Query:
source="application.logs" AND ("stack overflow" OR "Maximum call stack size exceeded" OR "flatted parse error")