CVE-2026-33993: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in locutusjs locutus
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.
AI Analysis
Technical Summary
Locutus is a JavaScript library that ports standard libraries from other languages for educational use. In versions before 3.0.25, the unserialize() function in locutus/php/var/unserialize improperly handles deserialized data by assigning keys directly to objects without filtering the __proto__ key. When a PHP serialized payload includes __proto__ as a key, JavaScript's __proto__ setter is triggered, replacing the object's prototype with attacker-controlled content. This prototype pollution enables property injection, for...in enumeration of injected properties, and denial of service through overriding built-in methods. This vulnerability is separate from previously disclosed prototype pollution issues in locutus's parse_str function. The vulnerability is addressed in locutus version 3.0.25.
Potential Impact
An attacker can supply a specially crafted PHP serialized payload to the unserialize() function, causing prototype pollution in the resulting JavaScript object. This can lead to injection of arbitrary properties, enumeration of these properties in loops, and denial of service by overriding built-in object methods. The vulnerability does not require privileges or user interaction and can be exploited remotely if the unserialize function processes attacker-controlled input. The CVSS 4.0 base score is 6.9, indicating a medium severity impact.
Mitigation Recommendations
Upgrade locutus to version 3.0.25 or later, where the unserialize() function properly filters the __proto__ key to prevent prototype pollution. No other mitigations are indicated or required once the patch is applied. Patch status is confirmed by the vendor's versioning information.
CVE-2026-33993: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in locutusjs locutus
Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Locutus is a JavaScript library that ports standard libraries from other languages for educational use. In versions before 3.0.25, the unserialize() function in locutus/php/var/unserialize improperly handles deserialized data by assigning keys directly to objects without filtering the __proto__ key. When a PHP serialized payload includes __proto__ as a key, JavaScript's __proto__ setter is triggered, replacing the object's prototype with attacker-controlled content. This prototype pollution enables property injection, for...in enumeration of injected properties, and denial of service through overriding built-in methods. This vulnerability is separate from previously disclosed prototype pollution issues in locutus's parse_str function. The vulnerability is addressed in locutus version 3.0.25.
Potential Impact
An attacker can supply a specially crafted PHP serialized payload to the unserialize() function, causing prototype pollution in the resulting JavaScript object. This can lead to injection of arbitrary properties, enumeration of these properties in loops, and denial of service by overriding built-in object methods. The vulnerability does not require privileges or user interaction and can be exploited remotely if the unserialize function processes attacker-controlled input. The CVSS 4.0 base score is 6.9, indicating a medium severity impact.
Mitigation Recommendations
Upgrade locutus to version 3.0.25 or later, where the unserialize() function properly filters the __proto__ key to prevent prototype pollution. No other mitigations are indicated or required once the patch is applied. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T22:20:06.212Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c702cd2b68dbd88e2edf8e
Added to database: 3/27/2026, 10:21:01 PM
Last enriched: 4/4/2026, 11:01:11 AM
Last updated: 5/12/2026, 2:33:24 AM
Views: 113
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.