CVE-2026-33994

CRITICAL 9.8

Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.

CWE	CWE-1321
Vendor	locutusjs
Product	locutus
Published	Mar 27, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for locutusjs locutus

Be the first to know when new critical vulnerabilities affecting locutusjs locutus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

locutusjs / locutus

>= 2.0.39, < 3.0.25

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/locutusjs/locutus/security/advisories/GHSA-vc8f-x9pp-wf5p github.com: https://github.com/locutusjs/locutus/pull/597 github.com: https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4 github.com: https://github.com/locutusjs/locutus/releases/tag/v3.0.25