The vulnerability identified as CVE-2026-33228 affects the WebReflection flatted library, a circular JSON parser widely used in JavaScript environments to safely parse and stringify JSON data that may contain circular references. Prior to version 3.4.2, the parse() function in flatted does not properly validate string keys extracted from the parsed JSON before using them as array indices. Specifically, when the key "__proto__" is used, the internal input buffer (a JavaScript Array) returns the Array.prototype object through the inherited getter mechanism. This prototype object is then mistakenly treated as a legitimate parsed value and assigned as a property of the output object. This assignment effectively leaks a live reference to Array.prototype to the consumer code. Any subsequent modification to this property results in prototype pollution, where the global Array.prototype is altered. Prototype pollution is a critical security issue because it can lead to unexpected behavior across the entire JavaScript runtime environment, including denial of service, arbitrary code execution, or bypassing security controls. The vulnerability requires no privileges or user interaction, making it easily exploitable remotely. The issue was addressed and patched in flatted version 3.4.2 by adding proper validation to ensure only numeric keys are used as array indices, preventing the prototype from being exposed and modified.

The impact of this vulnerability is significant for organizations using the flatted library versions prior to 3.4.2 in their JavaScript applications, especially those exposed to untrusted JSON input. Prototype pollution can lead to widespread integrity issues by allowing attackers to modify the behavior of all arrays globally within the affected runtime. This can cause application logic errors, data corruption, or denial of service conditions. In some cases, it may enable remote code execution if the polluted prototype is leveraged in conjunction with other vulnerabilities or unsafe code patterns. Since flatted is used in both client-side and server-side JavaScript environments, the scope of affected systems is broad, including web applications, Node.js services, and potentially embedded JavaScript engines. The vulnerability does not require authentication or user interaction, increasing the risk of automated exploitation. Although no known exploits are currently reported in the wild, the high CVSS score (8.9) reflects the ease of exploitation and the severe consequences of successful attacks. Organizations failing to patch may face data integrity breaches, service disruptions, and increased attack surface for further compromise.

The primary mitigation is to upgrade the flatted library to version 3.4.2 or later, where the vulnerability has been patched by enforcing strict validation of array index keys during JSON parsing. Organizations should conduct an inventory of their software dependencies to identify any usage of vulnerable flatted versions and apply updates promptly. For environments where immediate upgrading is not feasible, implementing input validation or sanitization to reject JSON containing the "__proto__" key or other prototype pollution vectors can reduce risk. Additionally, employing runtime protections such as JavaScript sandboxing, integrity monitoring, and limiting the privileges of affected applications can help contain potential damage. Developers should audit their code for unsafe usage patterns that rely on mutable prototypes and avoid extending native prototypes. Monitoring for unusual application behavior or errors related to prototype pollution can aid in early detection. Finally, integrating dependency management tools that alert on vulnerable packages will help prevent future exposure.