The WebReflection flatted library is designed to parse and stringify JSON data containing circular references, which standard JSON cannot handle. Prior to version 3.4.0, the parse() function internally uses a recursive revive() function to reconstruct circular references during deserialization. This recursive approach does not impose limits on recursion depth, allowing an attacker to craft malicious JSON payloads with deeply nested or self-referential $ indices. When such a payload is parsed, the recursion depth grows without bound, causing a stack overflow in the Node.js process hosting the application. This results in a crash, effectively causing a denial of service. The vulnerability is classified under CWE-674 (Uncontrolled Recursion) and has a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects availability only (A:H) without impacting confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and fixed in flatted version 3.4.0. The flaw is particularly relevant for applications that accept and parse JSON input from untrusted sources using vulnerable flatted versions in Node.js environments.

The primary impact of this vulnerability is denial of service through application crashes caused by stack overflow. Organizations running Node.js applications that utilize vulnerable versions of the flatted library for JSON parsing are at risk of service interruptions. This can affect web services, APIs, and backend systems that rely on flatted to handle JSON with circular references. While the vulnerability does not compromise data confidentiality or integrity, repeated crashes can degrade service availability, disrupt business operations, and potentially lead to cascading failures in dependent systems. Attackers can exploit this remotely without authentication or user interaction, increasing the risk of automated or large-scale attacks. Industries with high reliance on Node.js microservices or serverless functions parsing complex JSON data are particularly vulnerable. The absence of known exploits suggests a window for proactive mitigation before active exploitation occurs.

The most effective mitigation is to upgrade the flatted library to version 3.4.0 or later, where the uncontrolled recursion issue is fixed. Organizations should audit their codebases and dependencies to identify usage of flatted versions below 3.4.0. Additionally, implement input validation and JSON schema validation to limit the complexity and depth of incoming JSON data, rejecting payloads with excessive nesting or suspicious self-referential structures. Employ runtime monitoring and resource limits on Node.js processes to detect and mitigate abnormal recursion or stack usage patterns. Consider sandboxing or isolating services that parse untrusted JSON to contain potential crashes. For critical systems, implement redundancy and failover mechanisms to maintain availability during potential DoS attempts. Finally, maintain awareness of updates from the flatted project and related Node.js security advisories to promptly address emerging threats.