Webreflection Flatted vulnerabilities

CVE-2026-33228 [HIGH] CWE-1321 CVE-2026-33228: flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use a flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inh

CVE-2026-32141 [HIGH] CWE-674 CVE-2026-32141: flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive reviv flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability