CVE-2026-32141 Overview
CVE-2026-32141 is a stack overflow vulnerability in flatted, a popular circular JSON parser for JavaScript. Prior to version 3.4.0, the library's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When processing a crafted payload with deeply nested or self-referential $ indices, the recursion depth becomes unbounded, causing a stack overflow that crashes the Node.js process.
Critical Impact
This vulnerability allows remote attackers to crash Node.js applications that use flatted to parse untrusted JSON input, resulting in complete denial of service.
Affected Products
- flatted versions prior to 3.4.0
- Node.js applications using vulnerable flatted versions for JSON parsing
- JavaScript applications processing untrusted circular JSON data
Discovery Timeline
- 2026-03-12 - CVE-2026-32141 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32141
Vulnerability Analysis
The vulnerability exists in flatted's JSON deserialization mechanism, specifically within the recursive revive() function responsible for resolving circular references. When flatted parses JSON containing special $ index markers, it recursively traverses and resolves these references to reconstruct the original object graph with circular references intact.
The core issue is that the recursion depth is unbounded—there is no limit on how deep the recursive calls can go. An attacker can craft a malicious payload containing deeply nested or self-referential $ indices that forces the parser into excessive recursion. Since JavaScript engines have limited call stack sizes, this unbounded recursion quickly exhausts the available stack space, causing a stack overflow exception that crashes the entire Node.js process.
This is classified as CWE-674 (Uncontrolled Recursion), a common vulnerability pattern in parsers and serialization libraries that process nested data structures without implementing recursion limits.
Root Cause
The root cause is the lack of recursion depth control in the revive() function. The original implementation used a purely recursive approach to traverse and resolve circular references in the deserialized data structure. Without explicit bounds checking or iterative alternatives, the function would follow chains of $ references indefinitely, limited only by the JavaScript engine's call stack capacity.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a specially crafted JSON payload to any application endpoint that processes JSON using flatted's parse() function. The payload would contain deeply nested circular reference markers designed to maximize recursion depth.
typeof value === primitive ? new Primitive(value) : value
);
-const revive = (input, parsed, output, $) => {
- const lazy = [];
+const resolver = (input, lazy, parsed, $) => output => {
for (let ke = keys(output), {length} = ke, y = 0; y < length; y++) {
const k = ke[y];
const value = output[k];
Source: GitHub Commit
The patch replaces the recursive revive() function with an iterative resolver() approach that uses a lazy evaluation array to process circular references without deep recursion.
Detection Methods for CVE-2026-32141
Indicators of Compromise
- Unexpected Node.js process crashes with "Maximum call stack size exceeded" errors
- Application restarts correlated with JSON parsing activities
- Incoming JSON payloads with unusually deep nesting or repetitive $ index patterns
- Memory and CPU spikes followed by immediate process termination
Detection Strategies
- Monitor application logs for stack overflow exceptions originating from flatted module paths
- Implement application-level logging to track JSON parsing operations and payload sizes
- Use dependency scanning tools to identify flatted versions below 3.4.0 in your projects
- Deploy web application firewalls with rules to detect abnormally nested JSON structures
Monitoring Recommendations
- Set up alerting for Node.js process crash frequency exceeding normal baselines
- Monitor for patterns of repeated service restarts that may indicate exploitation attempts
- Track incoming request payload sizes and complexity metrics at ingress points
- Implement health checks that can detect process instability caused by DoS attacks
How to Mitigate CVE-2026-32141
Immediate Actions Required
- Upgrade flatted to version 3.4.0 or later immediately
- Audit all applications and dependencies that use flatted for JSON parsing
- Implement input validation to reject JSON payloads exceeding reasonable size and nesting limits
- Consider rate limiting on endpoints that accept JSON input from untrusted sources
Patch Information
The vulnerability is fixed in flatted version 3.4.0. The patch refactors the recursive revive() function into an iterative resolver() approach that avoids unbounded recursion. For detailed information about the fix, see the GitHub Security Advisory and the pull request that implemented the fix.
Workarounds
- If immediate upgrade is not possible, implement a wrapper around flatted.parse() that validates input depth before processing
- Use alternative JSON parsing libraries that have built-in recursion limits for untrusted input
- Deploy request payload size limits at the web server or API gateway level to reduce attack surface
- Consider sandboxing JSON parsing operations in worker threads to isolate potential crashes
# Update flatted to patched version
npm update flatted@3.4.0
# Verify installed version
npm list flatted
# Check for vulnerable versions in project dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
