Locutus is a JavaScript library that ports standard libraries from other programming languages for educational use. The vulnerability CVE-2026-33993 affects the unserialize() function in the PHP var module of locutus versions prior to 3.0.25. This function deserializes PHP serialized data into JavaScript objects by assigning keys directly to plain objects using bracket notation. However, it fails to filter out the special __proto__ key, which in JavaScript is a setter that modifies an object's prototype. When an attacker crafts a PHP serialized payload containing __proto__ as a key with an array or object value, the unserialize() function triggers the __proto__ setter, replacing the prototype of the resulting object with attacker-controlled content. This prototype pollution allows attackers to inject arbitrary properties into all objects inheriting from the polluted prototype. Consequences include property injection that can affect application logic, propagation of malicious properties during iteration (for...in loops), and denial of service by overriding or disabling built-in methods. Unlike a previously reported prototype pollution in locutus's parse_str function, this vulnerability is in a different function and had no prior mitigations. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The issue was addressed in locutus version 3.0.25 by filtering or blocking the __proto__ key during deserialization. No public exploits have been reported yet, but the medium CVSS score of 6.9 reflects the potential impact and ease of exploitation.

This vulnerability can have significant impacts on organizations using locutusjs versions prior to 3.0.25 in their JavaScript environments, especially if they deserialize untrusted PHP serialized data. Prototype pollution can lead to arbitrary property injection affecting application behavior, potentially causing logic errors, security bypasses, or data corruption. The ability to override built-in methods can result in denial of service conditions, destabilizing applications or services. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by attackers supplying malicious serialized payloads. This increases the attack surface, particularly for web applications or services that accept serialized data inputs. While no known exploits are currently reported, the widespread use of locutusjs in educational or development contexts means that vulnerable versions could be present in various environments. Organizations relying on locutusjs for PHP serialization emulation or similar functionality should consider the risk of prototype pollution leading to compromised application integrity and availability.

Organizations should immediately upgrade locutusjs to version 3.0.25 or later, where the vulnerability is patched by filtering the __proto__ key during deserialization. If upgrading is not immediately feasible, implement input validation to reject or sanitize serialized data containing the __proto__ key or other suspicious keys before deserialization. Employ runtime protections such as freezing or sealing prototypes of critical objects to prevent prototype modification. Use security-focused static analysis or code review tools to detect unsafe deserialization patterns involving bracket notation assignments. Limit exposure by restricting access to interfaces that accept serialized data, applying network-level filtering or authentication controls. Monitor application logs for unusual property injection patterns or errors related to prototype pollution. Educate developers about the risks of prototype pollution and safe deserialization practices. Finally, maintain an inventory of locutusjs usage across projects to ensure all instances are identified and remediated.