Your message dated Sun, 22 Mar 2026 06:18:52 +0000
with message-id <[email protected]>
and subject line Bug#1131462: fixed in node-flatted 3.4.2~ds-1
has caused the Debian Bug report #1131462,
regarding node-flatted: CVE-2026-33228
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131462: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131462
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-flatted
Version: 3.4.1~ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-flatted.
CVE-2026-33228[0]:
| flatted is a circular JSON parser. Prior to version 3.4.2, the
| parse() function in flatted can use attacker-controlled string
| values from the parsed JSON as direct array index keys, without
| validating that they are numeric. Since the internal input buffer is
| a JavaScript Array, accessing it with the key "__proto__" returns
| Array.prototype via the inherited getter. This object is then
| treated as a legitimate parsed value and assigned as a property of
| the output object, effectively leaking a live reference to
| Array.prototype to the consumer. Any code that subsequently writes
| to that property will pollute the global prototype. This issue has
| been patched in version 3.4.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33228
https://www.cve.org/CVERecord?id=CVE-2026-33228
[1]
https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh
[2]
https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-flatted
Source-Version: 3.4.2~ds-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-flatted, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-flatted package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2026 07:05:28 +0100
Source: node-flatted
Architecture: source
Version: 3.4.2~ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1131462
Changes:
node-flatted (3.4.2~ds-1) unstable; urgency=medium
.
* Team upload
* Drop "Priority: optional"
* debian/watch version 5
* New upstream version 3.4.2~ds (Closes: #1131462, CVE-2026-33228)
Checksums-Sha1:
0d4af88d6af17e77c4d668346bb32a39ef79118f 2357 node-flatted_3.4.2~ds-1.dsc
3245f2267ef2857364daf40ee17c170e51e2927f 241508
node-flatted_3.4.2~ds.orig.tar.xz
27a041e42a3fb607d9187a2bba0c09b479248df4 6496
node-flatted_3.4.2~ds-1.debian.tar.xz
Checksums-Sha256:
2dcadfaca0dffb65cafba6fc286f0a1cae50f91a7b3102ecfb14368f4454f146 2357
node-flatted_3.4.2~ds-1.dsc
cdca7a9d786d1f682b2438063cfa934b308f64ee86ba7b5d762defa0c95177cb 241508
node-flatted_3.4.2~ds.orig.tar.xz
059603f59e6d34c1c109e682b99c97b2b914525b967c0b58be3937233281c4a5 6496
node-flatted_3.4.2~ds-1.debian.tar.xz
Files:
96ecc5fe22ef53f0ff841319127938bc 2357 javascript optional
node-flatted_3.4.2~ds-1.dsc
bd1ad1dab438c4001625fffb698fff9a 241508 javascript optional
node-flatted_3.4.2~ds.orig.tar.xz
95c62b66dd20c5a5132f239facff353d 6496 javascript optional
node-flatted_3.4.2~ds-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmm/hwEACgkQ9tdMp8mZ
7unBnQ/9F4Y77iaOs0Z4jsEquyLLctYwIKJwnlc5qDUM1ghbeNt4hwu4RSKqPoPL
qFA5JCaW7Mm5E6OnttaQVHG66+ysV4wGsAAzkoHAf91itxlXOnn32LyQDIXPNAgR
H5o2TUc72RSTlplRnny1Ka6DN+Yk+GAT9/qXN7OYH3PihMiD0VZ5PtHK8DBRALax
/ZBi45wLn4W/aJIWKbgPc6RRKvva7shNqEwYo8T0P87wpdRk6uhnxnS/CDNgNcsW
LnLIpqMlVyHYW50agABiVvaeKrvb+1GDqyNt7ylJdNk2EeL6dBvwnODy+2V4BXNC
xfcrLdo4IY97b1d05i5twoki944StgXipJ7LJGSgQJIP41yReIZX50Q/vW3uDtPs
MDm9fBbntZsz3V+WZlR4eKUfBOlCnBFao9iqX6U0lmozB6xLbiYI7mR0W9ykq5G9
dX/2/NFlvBrWqPKEul01WjRFoMLYigaxk8RgR9yzVc8EMMZCCkvLllYWYD2DoAEN
IKBkdHqaulEOADo7f9xZ8qN/lWiEvB6sIV8zzxi5re0TSlOaKH4WIs30loCatYWC
rezN86/O2WMx3c7gx6xvFd/JJrfCjjS4nK2P54ct+jvoiDQLVeAtk+xYX7P86afI
5zt6DPSc3AGak6R/eKgyW5PJCZp5ePmmJ4W1lhOBznh6SevfNsM=
=qRsm
-----END PGP SIGNATURE-----
pgpfCgOyDddp9.pgp
Description: PGP signature
--- End Message ---
