Your message dated Sat, 16 May 2026 10:23:18 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1131505,
regarding trixie-pu: package node-flatted/3.2.7~ds-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131505: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131505
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:node-flatted
User: [email protected]
Usertags: pu
[ Reason ]
node-flatted is vulnerable to CVE-2026-33228 (#1131462): Prior to version
3.4.2, the parse() function in flatted can use attacker-controlled string
values from the parsed JSON as direct array index keys, without validating
that they are numeric. Since the internal input buffer is a JavaScript Array,
accessing it with the key "__proto__" returns Array.prototype via the
inherited getter. This object is then treated as a legitimate parsed value
and assigned as a property of the output object, effectively leaking a live
reference to Array.prototype to the consumer. Any code that subsequently
writes to that property will pollute the global prototype.
[ Impact ]
Medium security issue
[ Tests ]
Test passes
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 42e0c4e..ec99603 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-flatted (3.2.7~ds-1+deb13u1) trixie; urgency=medium
+
+ * Team upload
+ * Add patch for CVE-2026-33228 (prototype pollution in parse)
+ (Closes: #1131462)
+
+ -- Yadd <[email protected]> Sun, 22 Mar 2026 07:13:05 +0100
+
node-flatted (3.2.7~ds-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2026-33228.patch
b/debian/patches/CVE-2026-33228.patch
new file mode 100644
index 0000000..a64edc6
--- /dev/null
+++ b/debian/patches/CVE-2026-33228.patch
@@ -0,0 +1,17 @@
+Description: Fix prototype pollution in parse() (CVE-2026-33228)
+ Coerce index value to number before using as array key to prevent
+ __proto__ from leaking Array.prototype.
+Origin: upstream,
https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802
+Bug-Debian: https://bugs.debian.org/1131462
+
+--- a/esm/index.js
++++ b/esm/index.js
+@@ -25,7 +25,7 @@
+ const k = ke[y];
+ const value = output[k];
+ if (value instanceof Primitive) {
+- const tmp = input[value];
++ const tmp = input[+value];
+ if (typeof tmp === object && !parsed.has(tmp)) {
+ parsed.add(tmp);
+ output[k] = ignore;
diff --git a/debian/patches/series b/debian/patches/series
index 9ac8ac1..c4c9acb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
2001_privacy.patch
2002_drop-babel-typeof.patch
2003_rollup-babel.patch
+CVE-2026-33228.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
