Prototype Pollution in Locutusjs Locutus

CVE-2026-33993

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket not…

Vulnerability class: Prototype Pollution

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

Affected products

Locutusjs Locutus — versions < 3.0.25

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877 (x_refsource_CONFIRM)
https://github.com/locutusjs/locutus/pull/597 (x_refsource_MISC)
https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4 (x_refsource_MISC)
https://github.com/locutusjs/locutus/releases/tag/v3.0.25 (x_refsource_MISC)