{"id":"CVE-2026-25521","summary":"Locutus is vulnerable to Prototype Pollution","details":"Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.","aliases":["GHSA-rxrv-835q-v5mh"],"modified":"2026-04-10T05:41:52.430296Z","published":"2026-02-04T21:20:32.643Z","database_specific":{"cwe_ids":["CWE-1321"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25521.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25521.json"},{"type":"ADVISORY","url":"https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25521"},{"type":"FIX","url":"https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/locutusjs/locutus","events":[{"introduced":"5173554c4be3133f67c9cb20469d5ffbd94b2462"},{"fixed":"fb90ed0cb832897ef15880be446ab124e3313047"}]}],"versions":["v2.0.12","v2.0.13","v2.0.14","v2.0.15","v2.0.16","v2.0.17","v2.0.19","v2.0.20","v2.0.21","v2.0.22","v2.0.23","v2.0.24","v2.0.25","v2.0.26","v2.0.27","v2.0.28","v2.0.29","v2.0.30","v2.0.32","v2.0.33","v2.0.34","v2.0.35","v2.0.36","v2.0.37","v2.0.38"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25521.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}