Prototype Pollution in Locutusjs Locutus

CVE-2026-33994

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package…

Vulnerability class: Prototype Pollution

EPSS: 0.001 (21.6th percentile) — read the EPSS interpretation.

Affected products

Locutusjs Locutus — versions >= 2.0.39, < 3.0.25

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/locutusjs/locutus/security/advisories/GHSA-vc8f-x9pp-wf5p (x_refsource_CONFIRM)
https://github.com/locutusjs/locutus/pull/597 (x_refsource_MISC)
https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4 (x_refsource_MISC)
https://github.com/locutusjs/locutus/releases/tag/v3.0.25 (x_refsource_MISC)