Bug 2447083 (CVE-2026-32141) - CVE-2026-32141 flatted: flatted: Unbounded recursion DoS in parse() revive phase
Summary: CVE-2026-32141 flatted: flatted: Unbounded recursion DoS in parse() revive phase
Keywords:
Status: NEW
Alias: CVE-2026-32141
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2447207 2447208 2447209 2447211 2447212 2447213 2447214 2447215 2447217 2447218 2447210 2447216
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-12 19:01 UTC by OSIDB Bzimport
Modified: 2026-03-12 23:44 UTC (History)
90 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-12 19:01:54 UTC 
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
Note You need to log in before you can comment on or make changes to this bug.