Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
References
| Link | Resource |
|---|---|
| https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c | Patch |
| https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh | Exploit Vendor Advisory |
Configurations
History
20 Feb 2026, 21:20
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c - Patch | |
| References | () https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh - Exploit, Vendor Advisory | |
| Summary |
|
|
| CPE | cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| First Time |
Locutus
Locutus locutus |
04 Feb 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-04 22:15
Updated : 2026-02-20 21:20
NVD link : CVE-2026-25521
Mitre link : CVE-2026-25521
CVE.ORG link : CVE-2026-25521
JSON object : View
Products Affected
locutus
- locutus
CWE
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
