Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Vulnerability Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
CVSS Information
N/A
Vulnerability Type
CWE-1321
Vulnerability Title
Locutus 安全漏洞
Vulnerability Description
Locutus是Locutus开源的一个JavaScript代码库。 Locutus 2.0.39至3.0.25之前版本存在安全漏洞,该漏洞源于parse_str函数存在可绕过的原型污染防护,可能导致原型污染攻击。
CVSS Information
N/A
Vulnerability Type
N/A