CVE-2026-33994

Exploit

EPSS 0.56%
Veröffentlicht 27.03.2026 22:15:47
Zuletzt bearbeitet 01.04.2026 14:16:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Locutus ≫ Locutus SwPlatformnode.js Version >= 2.0.39 < 3.0.25

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.56%	0.421

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

https://github.com/locutusjs/locutus/pull/597

Issue Tracking

https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4

Patch

https://github.com/locutusjs/locutus/releases/tag/v3.0.25

Release Notes

https://github.com/locutusjs/locutus/security/advisories/GHSA-vc8f-x9pp-wf5p

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-33994

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33994

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33994

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33994