CVE-2026-33228 — Prototype Pollution in Flatted

CWE-1321 — Prototype Pollution CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes9 documents7 sources

Severity

8.9HIGHNVD

EPSS

0.0%

top 86.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Webreflection Flatted Debian Node-flatted Msrc Azl3 Python-tensorboard 2.16.2-6 ON Azure Linux 3.0 +1 more

Timeline

PublishedMar 20

Description

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages5 packages

▶debiandebian/node-flatted< node-flatted 3.4.2~ds-1 (forky)

▶NVDwebreflection/flatted< 3.4.2

▶npmwebreflection/flatted< 3.4.2

▶msrcmsrc/azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0

▶msrcmsrc/cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33228: flatted is a circular JSON parser↗2026-03-20

▶

GHSA

Prototype Pollution via parse() in NodeJS flatted↗2026-03-19

▶

OSV

Prototype Pollution via parse() in NodeJS flatted↗2026-03-19

▶

📋Vendor Advisories

Red Hat

flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON.↗2026-03-20

▶

Microsoft

flatted: Prototype Pollution via parse()↗2026-03-10

▶

Debian

CVE-2026-33228: node-flatted - flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33228 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶