216.73.216.233

CVE-2026-33228

· Published 20/03/2026 23:16 · Modified 20/03/2026 23:16

Labels: CVE-2026-33228 2026-03-20CVE-2026-33228CWE-1321[email protected]

Essential information

Published
20/03/2026 23:16
Modified
20/03/2026 23:16
Author
Creator
CVSS
8.9 HIGH (v3) 8.9 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
flatted / flatted cpe:2.3:a:flatted:flatted:<3.4.2:*:*:*:*:*:*:*

References