Summaryinfo

A vulnerability was found in locutusjs locutus up to 3.0.24. It has been declared as problematic. This impacts an unknown function of the component Query Handler. The manipulation results in prototype pollution. This vulnerability is identified as CVE-2026-33994. The attack can be executed remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in locutusjs locutus up to 3.0.24. It has been classified as problematic. Affected is some unknown processing of the component Query Handler. The manipulation with an unknown input leads to a prototype pollution vulnerability. CWE is classifying the issue as CWE-1321. The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. This is going to have an impact on integrity. CVE summarizes:

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.

The advisory is available at github.com. This vulnerability is traded as CVE-2026-33994 since 03/24/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1059 by the MITRE ATT&CK project.

Upgrading to version 3.0.25 eliminates this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• locutusjs

Name

• locutus

Version

• 3.0.0
• 3.0.1
• 3.0.2
• 3.0.3
• 3.0.4
• 3.0.5
• 3.0.6
• 3.0.7
• 3.0.8
• 3.0.9
• 3.0.10
• 3.0.11
• 3.0.12
• 3.0.13
• 3.0.14
• 3.0.15
• 3.0.16
• 3.0.17
• 3.0.18
• 3.0.19
• 3.0.20
• 3.0.21
• 3.0.22
• 3.0.23
• 3.0.24

Website

• Product: https://github.com/locutusjs/locutus/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion