{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-32141", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.546Z", "datePublished": "2026-03-12T18:08:09.634Z", "dateUpdated": "2026-07-09T12:09:41.555Z" }, "containers": { "cna": { "title": "flatted: Unbounded recursion DoS in parse() revive phase", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "references": [ { "name": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f" }, { "name": "https://github.com/WebReflection/flatted/pull/88", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/WebReflection/flatted/pull/88" }, { "name": "https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606" } ], "affected": [ { "vendor": "WebReflection", "product": "flatted", "versions": [ { "version": "< 3.4.0", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:08:09.634Z" }, "descriptions": [ { "lang": "en", "value": "flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0." } ], "source": { "advisory": "GHSA-25h7-pfq9-p65f", "discovery": "UNKNOWN" } }, "adp": [ { "references": [ { "url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f", "tags": [ "exploit" ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-13T16:20:15.479714Z", "id": "CVE-2026-32141", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:20:19.201Z" } }, { "affected": [ { "cpes": [ "cpe:/a:redhat:cluster_observability_operator:1.5::el9" ], "defaultStatus": "affected", "product": "Cluster Observability Operator 1.5.0", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhdh:1.8::el9" ], "defaultStatus": "affected", "product": "Red Hat Developer Hub 1.8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhdh:1.9::el9" ], "defaultStatus": "affected", "product": "Red Hat Developer Hub 1.9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:edge_manager:1.0::el9" ], "defaultStatus": "affected", "product": "Red Hat Edge Manager 1.0", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai:2.16::el8" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI 2.16", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_devspaces:3.28::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Dev Spaces 3.28", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:logging:5" ], "defaultStatus": "affected", "product": "Logging Subsystem for Red Hat OpenShift", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:red_hat_3scale_amp:2" ], "defaultStatus": "affected", "product": "Red Hat 3scale API Management Platform 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ansible_automation_platform:2" ], "defaultStatus": "affected", "product": "Red Hat Ansible Automation Platform 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "product": "Red Hat build of Apicurio Registry 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:amq_streams:2" ], "defaultStatus": "affected", "product": "streams for Apache Kafka 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:amq_streams:3" ], "defaultStatus": "affected", "product": "streams for Apache Kafka 3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:cryostat:4" ], "defaultStatus": "unaffected", "product": "Cryostat 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "unaffected", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "unaffected", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:directory_server:11" ], "defaultStatus": "unaffected", "product": "Red Hat Directory Server 11", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:directory_server:12" ], "defaultStatus": "unaffected", "product": "Red Hat Directory Server 12", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:directory_server:13" ], "defaultStatus": "unaffected", "product": "Red Hat Directory Server 13", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "unaffected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "unaffected", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "unaffected", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "datePublic": "2026-03-12T18:08:09.634Z", "descriptions": [ { "lang": "en", "value": "A denial of service flaw has been discovered in the flatted npm library. flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-32141" }, { "name": "RHBZ#2447083", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447083" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32141.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:34342" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:9742" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:13826" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:36651" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:21772" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:34342: Cluster Observability Operator 1.5.0" }, { "lang": "en", "value": "RHSA-2026:9742: Red Hat Developer Hub 1.8" }, { "lang": "en", "value": "RHSA-2026:13826: Red Hat Developer Hub 1.9" }, { "lang": "en", "value": "RHSA-2026:36651: Red Hat Edge Manager 1.0" }, { "lang": "en", "value": "RHSA-2026:5807: Red Hat OpenShift AI 2.16" }, { "lang": "en", "value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28" } ], "timeline": [ { "lang": "en", "time": "2026-03-12T19:01:30.987Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-03-12T18:08:09.634Z", "value": "Made public." } ], "title": "flatted: flatted: Unbounded recursion DoS in parse() revive phase", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-09T12:09:41.555Z" } } ] } }