Locutus: >> Locutus >> 2.0.14 Security Vulnerabilities
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-02-04
The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-06-08