CVE-2026-25521

Exploit

EPSS 0.24%
Veröffentlicht 04.02.2026 21:20:32
Zuletzt bearbeitet 27.06.2026 05:16:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Locutus is vulnerable to Prototype Pollution

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Locutus ≫ Locutus SwPlatformnode.js Version >= 2.0.12 < 2.0.39

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.144

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.4	0	0	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c	9.3	2.5	6	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh

Vendor Advisory

Exploit

https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c

Patch

https://access.redhat.com/security/cve/CVE-2026-25521

https://bugzilla.redhat.com/show_bug.cgi?id=2436950

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25521.json

https://nvd.nist.gov/vuln/detail/CVE-2026-25521

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25521

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25521

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25521