The vulnerability CVE-2026-33228 affects the flatted library, a circular JSON parser used in JavaScript environments. In versions prior to 3.4.2, the parse() function does not validate whether string keys from the parsed JSON are numeric before using them as array indices on an internal JavaScript Array buffer. Because JavaScript arrays inherit from Array.prototype, accessing the key "__proto__" returns the prototype object rather than a normal array element. This prototype object reference is then assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. An attacker can exploit this by crafting JSON input containing the "__proto__" key, causing the application to write to the global Array prototype. This prototype pollution can alter the behavior of all arrays in the affected runtime, leading to arbitrary code execution, denial of service, or data corruption. The vulnerability does not require privileges or user interaction and can be triggered remotely by supplying malicious JSON input. The issue has been addressed in flatted version 3.4.2 by validating keys before use and preventing prototype pollution. No known exploits have been reported in the wild yet, but the vulnerability is critical due to its broad impact and ease of exploitation.

This vulnerability can have severe consequences for organizations using the flatted library in their JavaScript applications. Prototype pollution can lead to arbitrary code execution, allowing attackers to escalate privileges or execute malicious payloads within the application context. It can also cause denial of service by corrupting application logic or crashing processes. Data integrity may be compromised if application behavior is altered unexpectedly. Since flatted is used for parsing circular JSON structures, many web applications, backend services, and Node.js environments could be affected. The vulnerability's remote exploitability without authentication increases the risk of widespread attacks. Organizations relying on vulnerable versions may experience service disruptions, data breaches, or unauthorized access, impacting business continuity and reputation.

The primary mitigation is to upgrade the flatted library to version 3.4.2 or later, where the vulnerability has been patched. Organizations should audit their dependencies to identify usage of flatted versions prior to 3.4.2 and update accordingly. In addition, implement input validation and sanitization to reject or safely handle JSON inputs containing suspicious keys such as "__proto__". Employ runtime protections such as JavaScript sandboxing or integrity checks to detect prototype pollution attempts. Monitoring application logs for unusual behavior related to object prototypes can help detect exploitation attempts. For critical environments, consider applying Web Application Firewalls (WAFs) with rules to block malicious JSON payloads targeting prototype pollution. Finally, maintain an up-to-date inventory of third-party libraries and apply security patches promptly to reduce exposure.