Skip to content

fix(deps): update dependency flatted to ^3.4.0 [security]#803

Merged
michnowak merged 2 commits intomainfrom
renovate/npm-flatted-vulnerability
Mar 16, 2026
Merged

fix(deps): update dependency flatted to ^3.4.0 [security]#803
michnowak merged 2 commits intomainfrom
renovate/npm-flatted-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 15, 2026

This PR contains the following updates:

Package Change Age Confidence
flatted ^3.3.3^3.4.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-32141

Summary

flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process.

Impact

Denial of Service (DoS). Any application that passes untrusted input to flatted.parse() can be crashed by an unauthenticated attacker with a single request.

flatted has ~87M weekly npm downloads and is used as the circular-JSON serialization layer in many caching and logging libraries.

Proof of Concept

const flatted = require('flatted');

// Build deeply nested circular reference chain
const depth = 20000;
const arr = new Array(depth + 1);
arr[0] = '{"a":"1"}';
for (let i = 1; i <= depth; i++) {
  arr[i] = `{"a":"${i + 1}"}`;
}
arr[depth] = '{"a":"leaf"}';

const payload = JSON.stringify(arr);
flatted.parse(payload); // RangeError: Maximum call stack size exceeded

Fix

The maintainer has already merged an iterative (non-recursive) implementation in PR #​88, converting the recursive revive() to a stack-based loop.

Affected Versions

All versions prior to the PR #​88 fix.

Release Notes

WebReflection/flatted (flatted)

v3.4.0

Compare Source

v3.3.4

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 15, 2026

Coverage Report for packages/configs/vitest-config

Status Category Percentage Covered / Total
🔵 Lines 77.74% 1718 / 2210
🔵 Statements 76.71% 1808 / 2357
🔵 Functions 73.86% 520 / 704
🔵 Branches 65.58% 1147 / 1749
File CoverageNo changed files found.
Generated in workflow #493 for commit 9783694 by the Vitest Coverage Report Action

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Mar 15, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@michnowak michnowak merged commit d05b09b into main Mar 16, 2026
3 checks passed
@michnowak michnowak deleted the renovate/npm-flatted-vulnerability branch March 16, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michnowak michnowak michnowak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michnowak