CVE-2026-33993

MEDIUM EPSS 43.5%
Published Mar 27, 20263mo ago · Modified Jun 17, 20261w ago
6.9 CVSS 4.0
Medium
Find Similar
Published Mar 27, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
43.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-1321

Affected Products 1

VendorProductVersionRange
locutuslocutus* <3.0.25

References 4

  • github.com https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4
    Patch
  • github.com https://github.com/locutusjs/locutus/pull/597
    Issue Tracking
  • github.com https://github.com/locutusjs/locutus/releases/tag/v3.0.25
    Release Notes
  • github.com https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4
    Patch