Vulnerability Details CVE-2026-25521
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.0%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2026-25521
-
cpe:2.3:a:locutus:locutus:2.0.12
-
cpe:2.3:a:locutus:locutus:2.0.13
-
cpe:2.3:a:locutus:locutus:2.0.14
-
cpe:2.3:a:locutus:locutus:2.0.15
-
cpe:2.3:a:locutus:locutus:2.0.16
-
cpe:2.3:a:locutus:locutus:2.0.17
-
cpe:2.3:a:locutus:locutus:2.0.19
-
cpe:2.3:a:locutus:locutus:2.0.20
-
cpe:2.3:a:locutus:locutus:2.0.21
-
cpe:2.3:a:locutus:locutus:2.0.22
-
cpe:2.3:a:locutus:locutus:2.0.23
-
cpe:2.3:a:locutus:locutus:2.0.24
-
cpe:2.3:a:locutus:locutus:2.0.25
-
cpe:2.3:a:locutus:locutus:2.0.26
-
cpe:2.3:a:locutus:locutus:2.0.27
-
cpe:2.3:a:locutus:locutus:2.0.28
-
cpe:2.3:a:locutus:locutus:2.0.29
-
cpe:2.3:a:locutus:locutus:2.0.30
-
cpe:2.3:a:locutus:locutus:2.0.31
-
cpe:2.3:a:locutus:locutus:2.0.32
-
cpe:2.3:a:locutus:locutus:2.0.33
-
cpe:2.3:a:locutus:locutus:2.0.34
-
cpe:2.3:a:locutus:locutus:2.0.35
-
cpe:2.3:a:locutus:locutus:2.0.36
-
cpe:2.3:a:locutus:locutus:2.0.37
-
cpe:2.3:a:locutus:locutus:2.0.38