Security Alert: `flatted` <=3.4.1 Exposes High-Severity DoS & Prototype Pollution Vulnerabilities

A critical security report reveals two high-severity vulnerabilities in the widely used `flatted` npm package, versions 3.4.1 and below. The flaws expose countless development projects to potential Denial of Service (DoS) attacks and prototype pollution, posing a direct risk to application stability and security.

The first vulnerability, tracked as GHSA-25h7-pfq9-p65f, is an Unbounded Recursion DoS flaw in the `parse()` function's revive phase. With a CVSS score of 7.5 (HIGH), it allows an attacker to craft malicious input that triggers uncontrolled recursion, leading to a stack overflow and process crash. The second issue, GHSA-rf6f-7fwh-wjgh, is a Prototype Pollution vulnerability also via `parse()`, which enables improper modification of object prototype attributes. The affected `flatted` package is a transitive dependency for many tools, commonly found in chains like `[email protected]` → `[email protected]` → `[email protected]`.

These vulnerabilities place a vast segment of the JavaScript and Node.js ecosystem under immediate scrutiny. Developers relying on `eslint` or any downstream package that includes `flat-cache` must urgently verify their dependency tree and upgrade to a patched version of `flatted`. The presence of these flaws in a core utility library signals significant supply chain risk, where a single compromised component can cascade instability and security breaches across entire application stacks.