DEBIAN-CVE-2026-32141

DEBIAN-CVE-2026-32141 PUBLISHED CVSS 7.5 HIGH

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:11	node-flatted	3.4.2, 3.4.1~ds-1, 3.4.2~ds-1
Debian:14	node-flatted	3.2.7~ds-1, 0, 3.2.7
Debian:13	node-flatted	3.4.2~ds-1, 0, *
Debian:12	node-flatted	0, 3.4.1~ds-1, 3.4.2~ds-1

Exploit Intelligence

.trivyignore.yml (github-poc)
lisa24-exploit-tests.py (github-poc)

Timeline

Mar 12, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-32141 advisory

Open in Interactive Console →