Debian Node-Flatted vulnerabilities

CVE-2026-33228 [HIGH] CVE-2026-33228: node-flatted - flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function ... flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited gett

CVE-2026-32141 [HIGH] CVE-2026-32141: node-flatted - flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function us... flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed