Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.
Published: 2026-03-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution via __proto__ key injection, enabling property injection and potential denial of service
Action: Patch
AI Analysis

Impact

Locutus implements a PHP‑style unserialize function that deserializes keys into plain JavaScript objects without filtering the special __proto__ key. When an attacker supplies a serialized payload that contains __proto__ as a key, JavaScript’s prototype setter is invoked, which can replace the object’s prototype with attacker‑controlled data. This results in prototype pollution that allows the attacker to inject arbitrary properties into objects, cause unintended property enumeration and override built‑in methods, leading to potential denial of service or other compromise of data integrity.

Affected Systems

The vulnerability affects the Locutus library distributed as the npm package locutusjs/locutus. All versions prior to 3.0.25 are affected. Users who load older versions of locutus and invoke the unserialize function on untrusted data are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates higher‑moderate risk, whereas the EPSS score of less than 1 % suggests the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control the input passed to unserialize; if the function is used on user‑supplied data, injecting a __proto__ key can modify object prototypes. The attack vector is inferred to be remote input to the JavaScript runtime, as the vulnerable function is client‑side. Successful exploitation could lead to property injection, unwanted enumeration and possibly denial of service.

Generated by OpenCVE AI on April 2, 2026 at 04:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade locutus to version 3.0.25 or later.
  • If an upgrade is not possible, avoid calling unserialize() on untrusted data.
  • Consider sanitizing input or using a safer deserialization library.

Generated by OpenCVE AI on April 2, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4mph-v827-f877 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Locutus
Locutus locutus
Vendors & Products Locutus
Locutus locutus

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.
Title Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Locutus Locutus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T15:45:18.660Z

Reserved: 2026-03-24T22:20:06.212Z

Link: CVE-2026-33993

cve-icon Vulnrichment

Updated: 2026-03-30T15:45:13.571Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T23:17:14.237

Modified: 2026-04-01T13:22:49.673

Link: CVE-2026-33993

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T22:14:03Z

Links: CVE-2026-33993 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:14Z

Weaknesses