Bug 2447083 (CVE-2026-32141)

Summary: CVE-2026-32141 flatted: flatted: Unbounded recursion DoS in parse() revive phase
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abuckta, akostadi, amasferr, aschwart, asoldano, ataylor, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, bsmejkal, caswilli, chfoley, cmah, darran.lofthouse, dbruscin, dhanak, dkuc, dmayorov, doconnor, dosoudil, drosa, dschmidt, eaguilar, ebaron, erezende, eric.wittmann, fjuma, gmalinko, ibek, istudens, ivassile, iweiss, jachapma, janstey, jcantril, jkoehler, jlanda, jlledo, jolong, jrokos, kaycoth, kshier, kvanderr, kverlaen, lchilton, lphiri, mnovotny, mosmerov, mposolda, msvehla, nipatil, nwallace, orabin, pantinor, pberan, pbizzarr, pdelbell, pesilva, pjindal, pmackay, progier, rgodfrey, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, simaishi, smaestri, smcdonal, snegrini, spichugi, ssidhaye, ssilvert, stcannon, sthorger, swoodman, tbordaz, teagle, tom.jenkinson, tsedmik, vashirov, vmuzikar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial of service flaw has been discovered in the flatted npm library. flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2447207, 2447208, 2447209, 2447211, 2447212, 2447213, 2447214, 2447215, 2447217, 2447218, 2447210, 2447216    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-12 19:01:54 UTC 
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.