flatted CVE-2026-33228
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-supplied input (AV:N) with no auth or interaction (PR:N/UI:N), but AC:H because impact needs the app to write to the leaked property and a usable pollution gadget; integrity/availability high, confidentiality only gadget-dependent low.
Primary rating from Vendor (https://github.com/WebReflection/flatted).
CVSS VectorVendor: https://github.com/WebReflection/flatted
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9Blast Radius
ecosystem impact- 83,981 npm packages depend on flatted (2,805 direct, 81,243 indirect)
Ecosystem-wide dependent count for version 3.4.2.
DescriptionCVE.org
--- Summary
The parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\_\_proto\_\_" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype.
--- Root Cause
File: esm/index.js:29 (identical in cjs/index.js)
const resolver = (input, lazy, parsed, $) => output => {
for (let ke = keys(output), {length} = ke, y = 0; y < length; y++) {
const k = ke[y];
const value = output[k];
if (value instanceof Primitive) {
const tmp = input[value]; // Bug is hereNo validation that value is a safe numeric index input is built as a plain Array. JavaScript's property lookup on arrays traverses the prototype chain for non-numeric keys. The key "\_\_proto\_\_" resolves to Array.prototype, which:
- has type "object" → passes the typeof tmp === object guard at line 30
- is not in the parsed Set yet → passes the !parsed.has(tmp) guard.
- The reference to Array.prototype is then enqueued in lazy and later unconditionally assigned to the output object.
--- Replication Steps
const Flatted = require('flatted');
const parsed = Flatted.parse('[{"x":"__proto__"}]');
parsed.x.polluted = 'pwned';
console.log([].polluted); // Returns true--- Impact An attacker can supply a crafted flatted string to parse() that causes the returned object to hold a live reference to Array.prototype, enabling any downstream code that writes to that property to pollute the global prototype chain, potentially causing denial of service or code execution.
Recommended solution Validate that the index string represents an integer within the bounds of input before accessing it:
// Before (vulnerable) const tmp = input[value];
// After (safe) const idx = +value; // coerce boxed String → number const tmp = (Number.isInteger(idx) && idx >= 0 && idx < input.length) ? input[idx] : undefined;
AnalysisAI
Prototype pollution in the flatted npm library (versions <= 3.4.1) lets an attacker who controls input to the parse() function leak a live reference to Array.prototype into the returned object, so any later write to that property poisons the global prototype chain. The flaw stems from parse() using attacker-supplied JSON string values such as "__proto__" as raw array index keys without numeric validation. Publicly available exploit code exists (a three-line proof of concept in the GitHub Security Advisory), though EPSS is only 0.01% (2nd percentile) and it is not in CISA KEV.
Technical ContextAI
flatted is a small, very widely used JavaScript serialization library that flattens and reconstructs objects containing circular references, used as a transitive dependency by many tooling packages (e.g. test coverage and logging tools). The bug, classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes / prototype pollution), lives in the resolver in esm/index.js:29 (and the identical cjs build): const tmp = input[value] indexes the internal reconstruction buffer - a plain JavaScript Array - with an unvalidated boxed-String value. Because JavaScript property lookup on arrays walks the prototype chain for non-numeric keys, a value of "__proto__" resolves to Array.prototype, which passes the typeof tmp === 'object' and !parsed.has(tmp) guards and is then enqueued and assigned onto the output object, handing the consumer a live reference to the global Array prototype.
RemediationAI
Vendor-released patch: 3.4.2 - upgrade flatted to 3.4.2 or later, including transitive copies (run npm ls flatted, then update parent packages or pin/override the resolution), per the GitHub Security Advisory GHSA-rf6f-7fwh-wjgh and fix commit 885ddcc33cf9657caf38c57c7be45ae1c5272802; Red Hat users should apply RHSA-2026:13826 and RHSA-2026:9742. The fix simply coerces the index with input[+value] so a non-numeric key like "__proto__" becomes NaN and yields undefined instead of Array.prototype. If you cannot upgrade immediately, the actionable compensating control is to avoid passing untrusted or externally sourced strings to Flatted.parse() - validate or sandbox the data source - and review downstream code that assigns to properties of parse() output to ensure it does not blindly write to inherited keys; the trade-off is that this requires per-call-site auditing and does not fix the library itself, so upgrading remains the only durable remediation.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-rf6f-7fwh-wjgh