EUVD-2026-11653
GHSA-25h7-pfq9-p65f
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 npm packages depend on flatted (2 direct, 3 indirect)
Ecosystem-wide dependent count for version 3.4.0.
DescriptionNVD
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
AnalysisAI
flatted is a circular JSON parser. versions up to 3.4.0 is affected by uncontrolled recursion (CVSS 7.5).
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems and applications using flatted library and document their criticality. Within 7 days: Implement input validation and recursion depth limits as interim controls; contact vendor for patch timeline and availability. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbi
Heap corruption in Google Chrome's PDFium component (versions prior to 148.0.7778.216) allows a remote attacker to poten
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the ANGLE
Type confusion in the V8 JavaScript engine of Google Chrome before 148.0.7778.216 enables arbitrary code execution withi
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the SVG rend
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today