Prototype Pollution in Locutusjs Locutus

CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigat…

Vulnerability class: Prototype Pollution

EPSS: 0.000 (5.1th percentile) — read the EPSS interpretation.

Affected products

Locutusjs Locutus — versions >= 2.0.12, < 2.0.39

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh (x_refsource_CONFIRM)
https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c (x_refsource_MISC)