Skip to main content

flatted CVE-2026-33228

HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-03-19 https://github.com/WebReflection/flatted GHSA-rf6f-7fwh-wjgh
8.9
CVSS 4.0 · Vendor: https://github.com/WebReflection/flatted
Share

Severity by source

Vendor (https://github.com/WebReflection/flatted) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-supplied input (AV:N) with no auth or interaction (PR:N/UI:N), but AC:H because impact needs the app to write to the leaked property and a usable pollution gadget; integrity/availability high, confidentiality only gadget-dependent low.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
9.8 CRITICAL
qualitative

Primary rating from Vendor (https://github.com/WebReflection/flatted).

CVSS VectorVendor: https://github.com/WebReflection/flatted

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 27, 2026 - 05:31 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 27, 2026 - 05:31 vuln.today
Analysis Updated
Jun 27, 2026 - 05:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 27, 2026 - 05:22 vuln.today
cvss_changed
Severity Changed
Jun 27, 2026 - 05:22 NVD
CRITICAL HIGH
CVSS changed
Jun 27, 2026 - 05:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 18:00 vuln.today
CVE Published
Mar 19, 2026 - 17:43 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 83,981 npm packages depend on flatted (2,805 direct, 81,243 indirect)

Ecosystem-wide dependent count for version 3.4.2.

DescriptionCVE.org

--- Summary

The parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\_\_proto\_\_" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype.

--- Root Cause

File: esm/index.js:29 (identical in cjs/index.js)

  const resolver = (input, lazy, parsed, $) => output => {
    for (let ke = keys(output), {length} = ke, y = 0; y < length; y++) {
      const k = ke[y];
      const value = output[k];
      if (value instanceof Primitive) {
        const tmp = input[value];      // Bug is here

No validation that value is a safe numeric index input is built as a plain Array. JavaScript's property lookup on arrays traverses the prototype chain for non-numeric keys. The key "\_\_proto\_\_" resolves to Array.prototype, which:

  • has type "object" → passes the typeof tmp === object guard at line 30
  • is not in the parsed Set yet → passes the !parsed.has(tmp) guard.
  • The reference to Array.prototype is then enqueued in lazy and later unconditionally assigned to the output object.

--- Replication Steps

  const Flatted = require('flatted');
  const parsed = Flatted.parse('[{"x":"__proto__"}]');
  parsed.x.polluted = 'pwned';
  console.log([].polluted);  // Returns true

--- Impact An attacker can supply a crafted flatted string to parse() that causes the returned object to hold a live reference to Array.prototype, enabling any downstream code that writes to that property to pollute the global prototype chain, potentially causing denial of service or code execution.

Recommended solution Validate that the index string represents an integer within the bounds of input before accessing it:

// Before (vulnerable) const tmp = input[value];

// After (safe) const idx = +value; // coerce boxed String → number const tmp = (Number.isInteger(idx) && idx >= 0 && idx < input.length) ? input[idx] : undefined;

AnalysisAI

Prototype pollution in the flatted npm library (versions <= 3.4.1) lets an attacker who controls input to the parse() function leak a live reference to Array.prototype into the returned object, so any later write to that property poisons the global prototype chain. The flaw stems from parse() using attacker-supplied JSON string values such as "__proto__" as raw array index keys without numeric validation. Publicly available exploit code exists (a three-line proof of concept in the GitHub Security Advisory), though EPSS is only 0.01% (2nd percentile) and it is not in CISA KEV.

Technical ContextAI

flatted is a small, very widely used JavaScript serialization library that flattens and reconstructs objects containing circular references, used as a transitive dependency by many tooling packages (e.g. test coverage and logging tools). The bug, classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes / prototype pollution), lives in the resolver in esm/index.js:29 (and the identical cjs build): const tmp = input[value] indexes the internal reconstruction buffer - a plain JavaScript Array - with an unvalidated boxed-String value. Because JavaScript property lookup on arrays walks the prototype chain for non-numeric keys, a value of "__proto__" resolves to Array.prototype, which passes the typeof tmp === 'object' and !parsed.has(tmp) guards and is then enqueued and assigned onto the output object, handing the consumer a live reference to the global Array prototype.

RemediationAI

Vendor-released patch: 3.4.2 - upgrade flatted to 3.4.2 or later, including transitive copies (run npm ls flatted, then update parent packages or pin/override the resolution), per the GitHub Security Advisory GHSA-rf6f-7fwh-wjgh and fix commit 885ddcc33cf9657caf38c57c7be45ae1c5272802; Red Hat users should apply RHSA-2026:13826 and RHSA-2026:9742. The fix simply coerces the index with input[+value] so a non-numeric key like "__proto__" becomes NaN and yields undefined instead of Array.prototype. If you cannot upgrade immediately, the actionable compensating control is to avoid passing untrusted or externally sourced strings to Flatted.parse() - validate or sandbox the data source - and review downstream code that assigns to properties of parse() output to ensure it does not blindly write to inherited keys; the trade-off is that this requires per-call-site auditing and does not fix the library itself, so upgrading remains the only durable remediation.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Vendor StatusVendor

Share

CVE-2026-33228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy