Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.
Published: 2026-03-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution enabling property injection, potential denial of service
Action: Apply Patch
AI Analysis

Impact

Attacker-controlled keys named __proto__ can replace the prototype of deserialized objects, allowing injection of arbitrary properties and overriding built-in methods. This vulnerability can lead to injection of malicious code or denial of service, specifically through property propagation during for…in loops or by tampering with standard object behavior.

Affected Systems

The problem exists in the Locutus library for JavaScript under the product locutusjs:locutus. All releases before version 3.0.25 generate objects via bracket notation without filtering the __proto__ key, so versions less than 3.0.25 are affected. Version 3.0.25 onward includes the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating a moderate to high severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The likely attack vector is the application of a PHP serialized string containing a __proto__ key to the unserialize() function, which then mutates the JavaScript prototype chain. This can be leveraged if the library processes untrusted input in a client- or server-side context.

Generated by OpenCVE AI on March 28, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update locutus to version 3.0.25 or newer, which removes the prototype injection flaw.
  • If an update is not possible, validate or sanitize any serialized PHP payloads to strip or encode __proto__ keys before passing them to unserialize()
  • Avoid using unserialize() with untrusted data whenever feasible

Generated by OpenCVE AI on March 28, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4mph-v827-f877 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
History

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Locutus
Locutus locutus
Vendors & Products Locutus
Locutus locutus

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.
Title Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Locutus Locutus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T15:45:18.660Z

Reserved: 2026-03-24T22:20:06.212Z

Link: CVE-2026-33993

cve-icon Vulnrichment

Updated: 2026-03-30T15:45:13.571Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T23:17:14.237

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-33993

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T22:14:03Z

Links: CVE-2026-33993 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:13Z

Weaknesses