CVE-2026-33994: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in locutusjs locutus
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
AI Analysis
Technical Summary
Locutus is an npm package that ports standard libraries from other programming languages to JavaScript, primarily for educational use. In versions >= 2.0.39 and < 3.0.25, the parse_str function contains a prototype pollution vulnerability (CWE-1321). Prototype pollution occurs when an attacker can modify the Object.prototype, affecting all objects and potentially leading to arbitrary code execution or denial of service. The vulnerability arises because the patch for a previous issue (CVE-2026-25521) replaced a guard using String.prototype.includes() with one using RegExp.prototype.test(). However, RegExp.prototype.test is itself writable and can be overridden by an attacker, allowing them to bypass the guard and inject malicious properties into Object.prototype. This can lead to unexpected behavior in applications using locutus, including data corruption or crashes. The vulnerability does not require authentication or user interaction and can be exploited remotely via crafted query strings passed to parse_str. The issue is fixed in locutus version 3.0.25 with an improved guard mechanism that cannot be bypassed by overriding RegExp.prototype.test.
Potential Impact
The prototype pollution vulnerability in locutus can have significant impacts on applications that depend on this library. By modifying Object.prototype, an attacker can alter the behavior of all objects in the JavaScript environment, potentially leading to data integrity issues, application logic manipulation, or denial of service through crashes or infinite loops. Since locutus is used for educational purposes and possibly in development or testing environments, the direct impact on production systems may be limited but still relevant if locutus is included in production dependencies. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of widespread exploitation if the package is used in web-facing applications. The medium CVSS score reflects the moderate ease of exploitation and the potential for partial impact on integrity and availability, though confidentiality is not directly affected. No known exploits are currently reported in the wild, but the vulnerability should be addressed promptly to prevent future attacks.
Mitigation Recommendations
To mitigate this vulnerability, organizations should upgrade locutus to version 3.0.25 or later, where the prototype pollution issue is properly fixed. If upgrading immediately is not feasible, users should audit their usage of the parse_str function and avoid passing untrusted input to it. Implement strict input validation and sanitization on any query strings or data processed by locutus to reduce the risk of injection. Additionally, consider using security tools that detect prototype pollution attempts during runtime or static analysis. Monitoring dependencies for updates and applying patches promptly is critical. Developers should also review their dependency trees to ensure no indirect usage of vulnerable locutus versions. Finally, consider isolating or sandboxing environments where locutus is used to limit the impact of potential prototype pollution.
Affected Countries
United States, Germany, India, United Kingdom, Canada, Australia, France, Netherlands, Japan, South Korea
CVE-2026-33994: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in locutusjs locutus
Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Locutus is an npm package that ports standard libraries from other programming languages to JavaScript, primarily for educational use. In versions >= 2.0.39 and < 3.0.25, the parse_str function contains a prototype pollution vulnerability (CWE-1321). Prototype pollution occurs when an attacker can modify the Object.prototype, affecting all objects and potentially leading to arbitrary code execution or denial of service. The vulnerability arises because the patch for a previous issue (CVE-2026-25521) replaced a guard using String.prototype.includes() with one using RegExp.prototype.test(). However, RegExp.prototype.test is itself writable and can be overridden by an attacker, allowing them to bypass the guard and inject malicious properties into Object.prototype. This can lead to unexpected behavior in applications using locutus, including data corruption or crashes. The vulnerability does not require authentication or user interaction and can be exploited remotely via crafted query strings passed to parse_str. The issue is fixed in locutus version 3.0.25 with an improved guard mechanism that cannot be bypassed by overriding RegExp.prototype.test.
Potential Impact
The prototype pollution vulnerability in locutus can have significant impacts on applications that depend on this library. By modifying Object.prototype, an attacker can alter the behavior of all objects in the JavaScript environment, potentially leading to data integrity issues, application logic manipulation, or denial of service through crashes or infinite loops. Since locutus is used for educational purposes and possibly in development or testing environments, the direct impact on production systems may be limited but still relevant if locutus is included in production dependencies. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of widespread exploitation if the package is used in web-facing applications. The medium CVSS score reflects the moderate ease of exploitation and the potential for partial impact on integrity and availability, though confidentiality is not directly affected. No known exploits are currently reported in the wild, but the vulnerability should be addressed promptly to prevent future attacks.
Mitigation Recommendations
To mitigate this vulnerability, organizations should upgrade locutus to version 3.0.25 or later, where the prototype pollution issue is properly fixed. If upgrading immediately is not feasible, users should audit their usage of the parse_str function and avoid passing untrusted input to it. Implement strict input validation and sanitization on any query strings or data processed by locutus to reduce the risk of injection. Additionally, consider using security tools that detect prototype pollution attempts during runtime or static analysis. Monitoring dependencies for updates and applying patches promptly is critical. Developers should also review their dependency trees to ensure no indirect usage of vulnerable locutus versions. Finally, consider isolating or sandboxing environments where locutus is used to limit the impact of potential prototype pollution.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T22:20:06.212Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c702cd2b68dbd88e2edf94
Added to database: 3/27/2026, 10:21:01 PM
Last enriched: 3/27/2026, 10:36:59 PM
Last updated: 3/27/2026, 11:27:40 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.