CVE-2026-33993

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4	Patch
https://github.com/locutusjs/locutus/pull/597	Issue Tracking
https://github.com/locutusjs/locutus/releases/tag/v3.0.25	Release Notes
https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*

History

01 Apr 2026, 13:22

Type	Values Removed	Values Added
CPE		cpe:2.3:a:locutus:locutus::::::node.js::*
References	~~() https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4 -~~	() https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4 - Patch
References	~~() https://github.com/locutusjs/locutus/pull/597 -~~	() https://github.com/locutusjs/locutus/pull/597 - Issue Tracking
References	~~() https://github.com/locutusjs/locutus/releases/tag/v3.0.25 -~~	() https://github.com/locutusjs/locutus/releases/tag/v3.0.25 - Release Notes
References	~~() https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877 -~~	() https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877 - Exploit, Mitigation, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Locutus Locutus locutus

27 Mar 2026, 23:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 23:17

Updated : 2026-04-01 13:22

NVD link : CVE-2026-33993

Mitre link : CVE-2026-33993

CVE.ORG link : CVE-2026-33993

JSON object : View

Products Affected

locutus

locutus

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

9.8 /10