CVE-2026-33993

UNKNOWN 0.0

Locutus has Prototype Pollution via proto Key Injection in unserialize()

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.

CWE	CWE-1321
Vendor	locutusjs
Product	locutus
Published	Mar 27, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for locutusjs locutus

Be the first to know when new unknown vulnerabilities affecting locutusjs locutus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

locutusjs / locutus

< 3.0.25

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877 github.com: https://github.com/locutusjs/locutus/pull/597 github.com: https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4 github.com: https://github.com/locutusjs/locutus/releases/tag/v3.0.25

CVE-2026-33993

Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Get instant alerts for locutusjs locutus

Affected Versions

References

Locutus has Prototype Pollution via proto Key Injection in unserialize()