CVE-2026-32141 (GCVE-0-2026-32141)

Vulnerability from cvelistv5 – Published: 2026-03-12 18:08 – Updated: 2026-06-30 12:07
VLAI
Title
flatted: Unbounded recursion DoS in parse() revive phase
Summary
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-674 - Uncontrolled Recursion
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
Impacted products
Vendor Product Version
WebReflection flatted Affected: < 3.4.0
Create a notification for this product.
Red Hat Red Hat Developer Hub 1.8     cpe:/a:redhat:rhdh:1.8::el9
Create a notification for this product.
Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.16     cpe:/a:redhat:openshift_ai:2.16::el8
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.28     cpe:/a:redhat:openshift_devspaces:3.28::el9
Create a notification for this product.
Red Hat Logging Subsystem for Red Hat OpenShift     cpe:/a:redhat:logging:5
Create a notification for this product.
Red Hat Red Hat 3scale API Management Platform 2     cpe:/a:redhat:red_hat_3scale_amp:2
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
Create a notification for this product.
Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
Create a notification for this product.
Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
Create a notification for this product.
Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
Create a notification for this product.
Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
Create a notification for this product.
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
Create a notification for this product.
Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
Create a notification for this product.
Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
Create a notification for this product.
Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
Create a notification for this product.
Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
Create a notification for this product.
Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
Create a notification for this product.
Red Hat Red Hat Directory Server 11     cpe:/a:redhat:directory_server:11
Create a notification for this product.
Red Hat Red Hat Directory Server 12     cpe:/a:redhat:directory_server:12
Create a notification for this product.
Red Hat Red Hat Directory Server 13     cpe:/a:redhat:directory_server:13
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Create a notification for this product.
Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32141",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-13T16:20:15.479714Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-13T16:20:19.201Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:rhdh:1.8::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Developer Hub 1.8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhdh:1.9::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Developer Hub 1.9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.16::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI 2.16",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.28::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Dev Spaces 3.28",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:logging:5"
            ],
            "defaultStatus": "affected",
            "product": "Logging Subsystem for Red Hat OpenShift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:red_hat_3scale_amp:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat 3scale API Management Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_registry:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Apicurio Registry 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:edge_manager:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Edge Manager 1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:red_hat_single_sign_on:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Single Sign-On 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_streams:2"
            ],
            "defaultStatus": "affected",
            "product": "streams for Apache Kafka 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_streams:3"
            ],
            "defaultStatus": "affected",
            "product": "streams for Apache Kafka 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:cryostat:4"
            ],
            "defaultStatus": "unaffected",
            "product": "Cryostat 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_broker:7"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat AMQ Broker 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:optaplanner:::el6"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat build of OptaPlanner 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:directory_server:11"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Directory Server 11",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:directory_server:12"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Directory Server 12",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:directory_server:13"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Directory Server 13",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:7"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Enterprise Application Platform 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Enterprise Application Platform 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Process Automation 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-03-12T18:08:09.634Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A denial of service flaw has been discovered in the flatted npm library. flatted\u0027s parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:07:46.267Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-32141"
          },
          {
            "name": "RHBZ#2447083",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447083"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32141.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9742"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13826"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:5807"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21772"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:9742: Red Hat Developer Hub 1.8"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13826: Red Hat Developer Hub 1.9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:5807: Red Hat OpenShift AI 2.16"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-12T19:01:30.987Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-03-12T18:08:09.634Z",
            "value": "Made public."
          }
        ],
        "title": "flatted: flatted: Unbounded recursion DoS in parse() revive phase",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flatted",
          "vendor": "WebReflection",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "flatted is a circular JSON parser. Prior to 3.4.0, flatted\u0027s parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T18:08:09.634Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f"
        },
        {
          "name": "https://github.com/WebReflection/flatted/pull/88",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WebReflection/flatted/pull/88"
        },
        {
          "name": "https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606"
        }
      ],
      "source": {
        "advisory": "GHSA-25h7-pfq9-p65f",
        "discovery": "UNKNOWN"
      },
      "title": "flatted: Unbounded recursion DoS in parse() revive phase"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32141",
    "datePublished": "2026-03-12T18:08:09.634Z",
    "dateReserved": "2026-03-10T22:19:36.546Z",
    "dateUpdated": "2026-06-30T12:07:46.267Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32141",
      "date": "2026-07-01",
      "epss": "0.00777",
      "percentile": "0.51295"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32141\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-12T18:16:25.837\",\"lastModified\":\"2026-06-30T03:18:28.523\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"flatted is a circular JSON parser. Prior to 3.4.0, flatted\u0027s parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.\"},{\"lang\":\"es\",\"value\":\"flatted es un analizador de JSON circular. Antes de la versi\u00f3n 3.4.0, la funci\u00f3n parse() de flatted utiliza una fase recursiva revive() para resolver referencias circulares en JSON deserializado. Cuando se le proporciona una carga \u00fatil manipulada con \u00edndices $ profundamente anidados o autorreferenciales, la profundidad de recursi\u00f3n es ilimitada, causando un desbordamiento de pila que bloquea el proceso de Node.js. Esta vulnerabilidad se ha corregido en la versi\u00f3n 3.4.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"WebReflection\",\"product\":\"flatted\",\"versions\":[{\"version\":\"\u003c 3.4.0\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Developer Hub 1.8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhdh:1.8::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Developer Hub 1.9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhdh:1.9::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI 2.16\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai:2.16::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces 3.28\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3.28::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Logging Subsystem for Red Hat OpenShift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:logging:5\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat 3scale API Management Platform 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:red_hat_3scale_amp:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apicurio Registry 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_registry:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Data Grid 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_data_grid:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Edge Manager 1\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:edge_manager:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Fuse 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_fuse:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Single Sign-On 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:red_hat_single_sign_on:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"streams for Apache Kafka 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:amq_streams:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"streams for Apache Kafka 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:amq_streams:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Cryostat 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:cryostat:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat AMQ Broker 7\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:amq_broker:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of OptaPlanner 8\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:optaplanner:::el6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Directory Server 11\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:directory_server:11\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Directory Server 12\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:directory_server:12\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Directory Server 13\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:directory_server:13\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat JBoss Enterprise Application Platform 7\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:jboss_enterprise_application_platform:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat JBoss Enterprise Application Platform 8\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:jboss_enterprise_application_platform:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat JBoss Enterprise Application Platform Expansion Pack\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:jbosseapxp\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Process Automation 7\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:jboss_enterprise_bpms_platform:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:quay:3\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-13T16:20:15.479714Z\",\"id\":\"CVE-2026-32141\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:webreflection:flatted:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"3.4.0\",\"matchCriteriaId\":\"767AEF0F-F297-47FE-8BA7-F1B7D7DFB8F0\"}]}]}],\"references\":[{\"url\":\"https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WebReflection/flatted/pull/88\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:13826\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21772\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:5807\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:9742\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-32141\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2447083\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32141.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32141\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T16:20:15.479714Z\"}}}], \"references\": [{\"url\": \"https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T16:20:10.284Z\"}}], \"cna\": {\"title\": \"flatted: Unbounded recursion DoS in parse() revive phase\", \"source\": {\"advisory\": \"GHSA-25h7-pfq9-p65f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WebReflection\", \"product\": \"flatted\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.4.0\"}]}], \"references\": [{\"url\": \"https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f\", \"name\": \"https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WebReflection/flatted/pull/88\", \"name\": \"https://github.com/WebReflection/flatted/pull/88\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606\", \"name\": \"https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"flatted is a circular JSON parser. Prior to 3.4.0, flatted\u0027s parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-674\", \"description\": \"CWE-674: Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T18:08:09.634Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32141\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T16:20:19.201Z\", \"dateReserved\": \"2026-03-10T22:19:36.546Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T18:08:09.634Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…