Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
Published: 2026-02-04
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution leading to possible arbitrary code execution
Action: Patch Now
AI Analysis

Impact

Locutus is a JavaScript library that offers standard library functionality from other languages for educational purposes. Between versions 2.0.12 and before 2.0.39 a prototype pollution flaw allows an attacker to craft input that exploits String.prototype and writes to Object.prototype. By overwriting properties on the global prototype, the attacker can alter the behavior of all future objects in the JavaScript runtime, potentially leading to privilege escalation or arbitrary code execution. The flaw is classified as CWE‑1321 and CWE‑915.

Affected Systems

The vulnerable product is the Locutus library for Node.js. Applications that import any part of Locutus between versions 2.0.12 and 2.0.38—directly or via transitive dependencies—are affected. Version 2.0.39 and later contain the repair that blocks the pollution vector.

Risk and Exploitability

The vulnerability receives a CVSS score of 9.4, indicating very high severity, yet the EPSS probability is reported as less than 1 %, suggesting a low but non‑zero chance of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers that can supply data to the vulnerable functions—such as through web request handlers, APIs, or any untrusted input—can trigger the prototype pollution without elevated privileges. The attack path relies on manipulating String.prototype keys, making it practical for remote clients that invoke the library functions.

Generated by OpenCVE AI on April 17, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Locutus to version 2.0.39 or later to eliminate the prototype pollution vector.
  • Restrict or sanitize any untrusted data that is passed to Locutus functions, ensuring that keys do not target Object.prototype.
  • Implement runtime monitoring or logging to detect unexpected writes to Object.prototype, and alert when such changes occur.

Generated by OpenCVE AI on April 17, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxrv-835q-v5mh locutus is vulnerable to Prototype Pollution
History

Fri, 20 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Critical

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Locutus
Locutus locutus
Vendors & Products Locutus
Locutus locutus

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
Title Locutus is vulnerable to Prototype Pollution
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Locutus Locutus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:31:43.203Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25521

cve-icon Vulnrichment

Updated: 2026-02-05T14:23:07.923Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:15:59.203

Modified: 2026-02-20T21:20:40.797

Link: CVE-2026-25521

cve-icon Redhat

Severity : Critical

Publid Date: 2026-02-04T21:20:32Z

Links: CVE-2026-25521 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses