CVE-2026-25521
Locutus is vulnerable to Prototype Pollution
CVSS Score
9.3
EPSS Score
0.2%
EPSS Percentile
15th
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
| CWE | CWE-1321 |
| Vendor | locutusjs |
| Product | locutus |
| Published | Feb 4, 2026 |
| Last Updated | Jun 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for locutusjs locutus
Be the first to know when new critical vulnerabilities affecting locutusjs locutus are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
locutusjs / locutus
>= 2.0.12, < 2.0.39
References
github.com: https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh github.com: https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-25521 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2436950 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25521.json