anonhaven
Ad

CVE-2026-33994

MEDIUM CVSS 4.0: 6.3 EPSS 0.10%
Updated Mar 30, 2026
Locutus
Parameter Value
CVSS 6.3 (MEDIUM)
Affected Versions before 3.0.25
Type CWE-1321 (Prototype Pollution)
Vendor Locutus
Public PoC No

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard.

This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another.

Version 3.0.25 contains an updated fix.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-1321 Prototype Pollution

References 4

https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9f…
security-advisories@github.com
https://github.com/locutusjs/locutus/pull/597
security-advisories@github.com
https://github.com/locutusjs/locutus/releases/tag/v3.0.25
security-advisories@github.com
https://github.com/locutusjs/locutus/security/advisories/GHSA-vc8f-x9pp-wf5p
security-advisories@github.com
Share Post Share Share Share