CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c	Patch
https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-04 22:15

Updated : 2026-02-20 21:20

NVD link : CVE-2026-25521

Mitre link : CVE-2026-25521

CVE.ORG link : CVE-2026-25521

JSON object : View

Products Affected

locutus

locutus

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2026-25521", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-04T22:15:59.203", "references": [{"url": "https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39."}, {"lang": "es", "value": "Locutus incorpora librer\u00edas est\u00e1ndar de otros lenguajes de programaci\u00f3n a JavaScript con fines educativos. En las versiones desde la 2.0.12 hasta antes de la 2.0.39, existe una vulnerabilidad de contaminaci\u00f3n de prototipos en Locutus. A pesar de una correcci\u00f3n anterior que intent\u00f3 mitigar la contaminaci\u00f3n de prototipos verificando si la entrada del usuario conten\u00eda una clave prohibida, todav\u00eda es posible contaminar Object.prototype mediante una entrada manipulada utilizando String.prototype. Este problema ha sido corregido en la versi\u00f3n 2.0.39."}], "lastModified": "2026-02-20T21:20:40.797", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F90DC302-09EA-4098-98B1-8B553D0A7C9E", "versionEndExcluding": "2.0.39", "versionStartIncluding": "2.0.12"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}