{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25521", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T18:21:42.487Z", "datePublished": "2026-02-04T21:20:32.643Z", "dateUpdated": "2026-02-05T14:31:43.203Z"}, "containers": {"cna": {"title": "Locutus is vulnerable to Prototype Pollution", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh"}, {"name": "https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c"}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"version": ">= 2.0.12, < 2.0.39", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:20:32.643Z"}, "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39."}], "source": {"advisory": "GHSA-rxrv-835q-v5mh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:23:07.184247Z", "id": "CVE-2026-25521", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:31:43.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25521", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-05T14:23:07.184247Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:23:07.923Z"}}], "cna": {"title": "Locutus is vulnerable to Prototype Pollution", "source": {"advisory": "GHSA-rxrv-835q-v5mh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"status": "affected", "version": ">= 2.0.12, < 2.0.39"}]}], "references": [{"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh", "name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c", "name": "https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:20:32.643Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25521", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:31:43.203Z", "dateReserved": "2026-02-02T18:21:42.487Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T21:20:32.643Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F90DC302-09EA-4098-98B1-8B553D0A7C9E", "versionEndExcluding": "2.0.39", "versionStartIncluding": "2.0.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39."}, {"lang": "es", "value": "Locutus incorpora librer\u00edas est\u00e1ndar de otros lenguajes de programaci\u00f3n a JavaScript con fines educativos. En las versiones desde la 2.0.12 hasta antes de la 2.0.39, existe una vulnerabilidad de contaminaci\u00f3n de prototipos en Locutus. A pesar de una correcci\u00f3n anterior que intent\u00f3 mitigar la contaminaci\u00f3n de prototipos verificando si la entrada del usuario conten\u00eda una clave prohibida, todav\u00eda es posible contaminar Object.prototype mediante una entrada manipulada utilizando String.prototype. Este problema ha sido corregido en la versi\u00f3n 2.0.39."}], "id": "CVE-2026-25521", "lastModified": "2026-02-20T21:20:40.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T22:15:59.203", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "locutus: Locutus is vulnerable to Prototype Pollution", "id": "2436950", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436950"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-915", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-25521", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2026-02-04T21:20:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25521\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25521\nhttps://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c\nhttps://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh"], "threat_severity": "Critical"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:11:39.034486+00:00", "value": {"mitigation_remediation": ["Upgrade Locutus to version 2.0.39 or later to eliminate the prototype pollution vector.", "Restrict or sanitize any untrusted data that is passed to Locutus functions, ensuring that keys do not target Object.prototype.", "Implement runtime monitoring or logging to detect unexpected writes to Object.prototype, and alert when such changes occur."], "summary": {"action": "Patch Now", "impact": "Prototype Pollution leading to possible arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerable product is the Locutus library for Node.js. Applications that import any part of Locutus between versions 2.0.12 and 2.0.38\u2014directly or via transitive dependencies\u2014are affected. Version 2.0.39 and later contain the repair that blocks the pollution vector.", "description_and_impact": "Locutus is a JavaScript library that offers standard library functionality from other languages for educational purposes. Between versions 2.0.12 and before 2.0.39 a prototype pollution flaw allows an attacker to craft input that exploits String.prototype and writes to Object.prototype. By overwriting properties on the global prototype, the attacker can alter the behavior of all future objects in the JavaScript runtime, potentially leading to privilege escalation or arbitrary code execution. The flaw is classified as CWE\u20111321 and CWE\u2011915.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 9.4, indicating very high severity, yet the EPSS probability is reported as less than 1\u202f%, suggesting a low but non\u2011zero chance of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers that can supply data to the vulnerable functions\u2014such as through web request handlers, APIs, or any untrusted input\u2014can trigger the prototype pollution without elevated privileges. The attack path relies on manipulating String.prototype keys, making it practical for remote clients that invoke the library functions."}}}}, "created": "2026-02-05T11:40:07.630031+00:00", "updated": "2026-04-17T23:15:30.808533+00:00", "vendors": ["locutus", "locutus$PRODUCT$locutus"]}