The vulnerability identified as CVE-2026-32141 affects the WebReflection flatted library, a tool used for parsing circular JSON structures in Node.js environments. Prior to version 3.4.0, the parse() function internally uses a recursive revive() method to reconstruct circular references during deserialization. This recursive approach lacks bounds checking on recursion depth when processing crafted JSON payloads containing deeply nested or self-referential $ indices. An attacker can exploit this by sending malicious JSON data that triggers unbounded recursion, leading to a stack overflow condition. This overflow causes the Node.js process to crash, resulting in a denial of service (DoS). The vulnerability is classified under CWE-674 (Uncontrolled Recursion) and has a CVSS v3.1 score of 7.5, indicating high severity. The attack vector is network-based with no required privileges or user interaction, making it relatively easy to exploit remotely. No known exploits are currently reported in the wild, but the impact on availability is significant for affected applications. The issue was addressed in flatted version 3.4.0 by implementing safeguards to limit recursion depth or refactoring the revive() logic to prevent stack overflow. Since flatted is widely used in Node.js applications for handling circular JSON, this vulnerability poses a risk to any service deserializing untrusted JSON input using vulnerable versions.

The primary impact of CVE-2026-32141 is denial of service through application crashes caused by stack overflow in Node.js processes using vulnerable flatted versions. This can disrupt web services, APIs, and backend systems relying on flatted for JSON parsing, potentially leading to downtime and degraded user experience. Although the vulnerability does not compromise data confidentiality or integrity, repeated exploitation could be used to degrade service availability or as part of a larger attack chain. Organizations with high-availability requirements or those exposing JSON parsing endpoints to untrusted inputs are particularly at risk. The ease of exploitation without authentication or user interaction increases the threat level, especially for internet-facing applications. Additionally, automated attacks could target vulnerable systems to cause widespread outages or service interruptions. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once the vulnerability becomes widely known.

To mitigate CVE-2026-32141, organizations should immediately upgrade the flatted library to version 3.4.0 or later, where the recursion issue is fixed. Developers should audit their dependencies to identify and update any usage of vulnerable flatted versions. Implement input validation and JSON schema validation to restrict deeply nested or suspicious circular references in incoming JSON payloads. Employ runtime monitoring and alerting for unexpected Node.js process crashes or high recursion stack usage. Consider sandboxing or isolating JSON parsing operations to limit the blast radius of potential crashes. For critical systems, implement rate limiting and filtering on endpoints that accept JSON input to reduce exposure to crafted payloads. Additionally, maintain up-to-date dependency management practices and monitor vulnerability advisories for related issues. If upgrading is not immediately feasible, applying application-level checks to detect and reject overly complex or recursive JSON structures can provide temporary protection.