## Security Alert: flatted <=3.4.1 Exposes Projects to Critical DoS & Prototype Pollution Attacks A high-severity security flaw has been identified in the widely used `flatted` npm package, exposing countless JavaScript projects to potential Denial-of-Service (DoS) and prototype pollution attacks. The vulnerability, present in all versions up to and including 3.4.1, allows an attacker to crash applications or manipulate object prototypes by submitting maliciously crafted JSON data to the library's `parse()` function. This poses a direct threat to any system that processes untrusted JSON input using this popular serialization library. The core of the issue lies in two distinct but critical weaknesses. First, an Unbounded Recursion DoS vulnerability (CVE pending, GHSA-25h7-pfq9-p65f) affects versions below 3.4.0. An attacker can trigger infinite recursion during the `parse()` function's revive phase, causing the Node.js process to exhaust its call stack and crash, leading to a complete service outage. Second, a Prototype Pollution vulnerability (GHSA-rf6f-7fwh-wjgh) persists through version 3.4.1, enabling attackers to inject properties into global object prototypes, which can lead to remote code execution, data tampering, or further security bypasses depending on the application's context. This vulnerability is particularly dangerous due to `flatted`'s common role as a transitive dependency, meaning many developers may be unaware their project is using a vulnerable version. The CVSS score of 7.5 (High) underscores the significant availability impact. All projects must immediately upgrade to `flatted@3.4.2` or later, which contains the necessary patches. Failure to remediate leaves applications open to disruption and compromise from a simple, malicious API request. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, npm, javascript, vulnerability, denial-of-service - **Credibility**: unverified - **Published**: 2026-03-27 09:27:04 - **ID**: 37227 - **URL**: https://whisperx.ai/en/intel/37227