CVE-2026-33993

Exploit

EPSS 0.58%
Veröffentlicht 27.03.2026 22:14:03
Zuletzt bearbeitet 01.04.2026 13:22:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Locutus ≫ Locutus SwPlatformnode.js Version < 3.0.25

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.58%	0.432

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877

Vendor Advisory

Exploit

Mitigation

https://github.com/locutusjs/locutus/pull/597

Issue Tracking

https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4

Patch

https://github.com/locutusjs/locutus/releases/tag/v3.0.25

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33993

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33993

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33993

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33993