{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33993", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.212Z", "datePublished": "2026-03-27T22:14:03.495Z", "dateUpdated": "2026-03-30T15:45:18.660Z"}, "containers": {"cna": {"title": "Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877"}, {"name": "https://github.com/locutusjs/locutus/pull/597", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/pull/597"}, {"name": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4"}, {"name": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25"}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"version": "< 3.0.25", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:14:03.495Z"}, "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue."}], "source": {"advisory": "GHSA-4mph-v827-f877", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:45:05.433846Z", "id": "CVE-2026-33993", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:45:18.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33993", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:45:05.433846Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:45:13.571Z"}}], "cna": {"title": "Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()", "source": {"advisory": "GHSA-4mph-v827-f877", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"status": "affected", "version": "< 3.0.25"}]}], "references": [{"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877", "name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/locutusjs/locutus/pull/597", "name": "https://github.com/locutusjs/locutus/pull/597", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4", "name": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25", "name": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:14:03.495Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33993", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:45:18.660Z", "dateReserved": "2026-03-24T22:20:06.212Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T22:14:03.495Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0F339EAA-6928-4474-AEC9-654C3C19966D", "versionEndExcluding": "3.0.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue."}], "id": "CVE-2026-33993", "lastModified": "2026-04-01T13:22:49.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T23:17:14.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/locutusjs/locutus/pull/597"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Locutus: Locutus: Prototype Pollution and Denial of Service vulnerability in unserialize() function", "id": "2452536", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452536"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-915", "details": ["Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.", "A flaw was found in Locutus, a library that integrates standard libraries from other programming languages into JavaScript. The `unserialize()` function, which converts serialized PHP data into JavaScript objects, fails to filter the `__proto__` key during deserialization. A remote attacker can exploit this by providing a specially crafted PHP serialized payload that includes `__proto__` as an array or object key. This vulnerability, known as prototype pollution, allows for property injection and can lead to a Denial of Service (DoS) by enabling attackers to override built-in JavaScript methods."], "name": "CVE-2026-33993", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2026-03-27T22:14:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33993\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33993\nhttps://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4\nhttps://github.com/locutusjs/locutus/pull/597\nhttps://github.com/locutusjs/locutus/releases/tag/v3.0.25\nhttps://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.25)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "locutus", "source": "cna", "vendor": "locutusjs"}, "product": "locutus", "vendor": "locutus"}], "analysis": {"en": {"generated_at": "2026-04-02T04:09:11.580764+00:00", "value": {"mitigation_remediation": ["Upgrade locutus to version 3.0.25 or later.", "If an upgrade is not possible, avoid calling unserialize() on untrusted data.", "Consider sanitizing input or using a safer deserialization library."], "summary": {"action": "Patch", "impact": "Prototype Pollution via __proto__ key injection, enabling property injection and potential denial of service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Locutus library distributed as the npm package locutusjs/locutus. All versions prior to 3.0.25 are affected. Users who load older versions of locutus and invoke the unserialize function on untrusted data are at risk.", "description_and_impact": "Locutus implements a PHP\u2011style unserialize function that deserializes keys into plain JavaScript objects without filtering the special __proto__ key. When an attacker supplies a serialized payload that contains __proto__ as a key, JavaScript\u2019s prototype setter is invoked, which can replace the object\u2019s prototype with attacker\u2011controlled data. This results in prototype pollution that allows the attacker to inject arbitrary properties into objects, cause unintended property enumeration and override built\u2011in methods, leading to potential denial of service or other compromise of data integrity.", "risk_and_exploitability": "The CVSS score of 6.9 indicates higher\u2011moderate risk, whereas the EPSS score of less than 1\u202f% suggests the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control the input passed to unserialize; if the function is used on user\u2011supplied data, injecting a __proto__ key can modify object prototypes. The attack vector is inferred to be remote input to the JavaScript runtime, as the vulnerable function is client\u2011side. Successful exploitation could lead to property injection, unwanted enumeration and possibly denial of service."}}}}, "created": "2026-03-29T20:29:26.943177+00:00", "updated": "2026-04-02T07:55:14.753030+00:00", "vendors": ["locutus", "locutus$PRODUCT$locutus"]}