Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:node-flatted User: [email protected] Usertags: pu
[ Reason ] node-flatted is vulnerable to CVE-2026-33228 (#1131462): Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. [ Impact ] Medium security issue [ Tests ] Test passes [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 42e0c4e..ec99603 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-flatted (3.2.7~ds-1+deb13u1) trixie; urgency=medium + + * Team upload + * Add patch for CVE-2026-33228 (prototype pollution in parse) + (Closes: #1131462) + + -- Yadd <[email protected]> Sun, 22 Mar 2026 07:13:05 +0100 + node-flatted (3.2.7~ds-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2026-33228.patch b/debian/patches/CVE-2026-33228.patch new file mode 100644 index 0000000..a64edc6 --- /dev/null +++ b/debian/patches/CVE-2026-33228.patch @@ -0,0 +1,17 @@ +Description: Fix prototype pollution in parse() (CVE-2026-33228) + Coerce index value to number before using as array key to prevent + __proto__ from leaking Array.prototype. +Origin: upstream, https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802 +Bug-Debian: https://bugs.debian.org/1131462 + +--- a/esm/index.js ++++ b/esm/index.js +@@ -25,7 +25,7 @@ + const k = ke[y]; + const value = output[k]; + if (value instanceof Primitive) { +- const tmp = input[value]; ++ const tmp = input[+value]; + if (typeof tmp === object && !parsed.has(tmp)) { + parsed.add(tmp); + output[k] = ignore; diff --git a/debian/patches/series b/debian/patches/series index 9ac8ac1..c4c9acb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 2001_privacy.patch 2002_drop-babel-typeof.patch 2003_rollup-babel.patch +CVE-2026-33228.patch
