CVE-2026-33994: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in locutusjs locutus
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
AI Analysis
Technical Summary
Locutus is a JavaScript package that ports standard libraries from other languages. Versions >= 2.0.39 and < 3.0.25 have a prototype pollution vulnerability in the parse_str function. The vulnerability arises because the guard against prototype pollution was changed from using String.prototype.includes() to RegExp.prototype.test(), but RegExp.prototype.test is itself writable and can be overridden by an attacker. This allows an attacker to bypass the guard by overriding RegExp.prototype.test and then passing a crafted query string to parse_str, resulting in pollution of Object.prototype. This vulnerability is a regression from an incomplete fix for CVE-2026-25521. The issue is fixed in version 3.0.25 with an updated patch.
Potential Impact
Successful exploitation allows an attacker to modify Object.prototype, which can lead to unexpected behavior in applications using the vulnerable locutus versions. This can cause security issues such as privilege escalation or denial of service depending on how the polluted prototype is used. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS score of 6.3 reflects a medium severity impact with low attack complexity and no privileges required.
Mitigation Recommendations
Upgrade locutus to version 3.0.25 or later, where the vulnerability is fixed with an updated guard against prototype pollution. There is no indication that temporary workarounds or other mitigations are effective. Patch status is confirmed by the versioning information in the advisory. Users should verify they are not using affected versions and update accordingly.
CVE-2026-33994: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in locutusjs locutus
Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Locutus is a JavaScript package that ports standard libraries from other languages. Versions >= 2.0.39 and < 3.0.25 have a prototype pollution vulnerability in the parse_str function. The vulnerability arises because the guard against prototype pollution was changed from using String.prototype.includes() to RegExp.prototype.test(), but RegExp.prototype.test is itself writable and can be overridden by an attacker. This allows an attacker to bypass the guard by overriding RegExp.prototype.test and then passing a crafted query string to parse_str, resulting in pollution of Object.prototype. This vulnerability is a regression from an incomplete fix for CVE-2026-25521. The issue is fixed in version 3.0.25 with an updated patch.
Potential Impact
Successful exploitation allows an attacker to modify Object.prototype, which can lead to unexpected behavior in applications using the vulnerable locutus versions. This can cause security issues such as privilege escalation or denial of service depending on how the polluted prototype is used. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS score of 6.3 reflects a medium severity impact with low attack complexity and no privileges required.
Mitigation Recommendations
Upgrade locutus to version 3.0.25 or later, where the vulnerability is fixed with an updated guard against prototype pollution. There is no indication that temporary workarounds or other mitigations are effective. Patch status is confirmed by the versioning information in the advisory. Users should verify they are not using affected versions and update accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T22:20:06.212Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c702cd2b68dbd88e2edf94
Added to database: 3/27/2026, 10:21:01 PM
Last enriched: 4/4/2026, 10:47:37 AM
Last updated: 5/11/2026, 5:33:11 AM
Views: 301
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.