VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 1, 2020· Updated Sep 17, 2024

Prototype Pollution

CVE-2020-7719

Description

Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Locutus before 2.0.12 is vulnerable to prototype pollution via the php.strings.parse_str function, allowing attackers to inject properties into Object.prototype.

Vulnerability

Overview

CVE-2020-7719 describes a prototype pollution vulnerability in the Locutus JavaScript library (versions before 2.0.12). Locutus ports standard library functions from PHP and other languages to TypeScript/JavaScript. The flaw resides in the php.strings.parse_str function, which parses query strings into JavaScript objects without sanitizing keys that can modify the prototype chain [1].

Exploitation

An attacker can exploit this by supplying a crafted string to parse_str that includes keys such as __proto__, constructor, or prototype. When the function processes the input, it assigns values directly to the object's prototype, polluting Object.prototype [3]. No authentication or special network position is required if the application exposes parse_str to user-controlled input.

Impact

Successful prototype pollution can lead to denial of service by triggering JavaScript exceptions or, more critically, remote code execution. Because all JavaScript objects inherit from Object.prototype, a polluted prototype can alter application behavior globally, potentially forcing code paths chosen by the attacker [4].

Mitigation

The vulnerability was fixed in Locutus version 2.0.12. The fix, implemented in pull request #418, adds input validation that checks for prototype keywords and returns the object unmodified if they are present [3]. Users are strongly advised to upgrade to the latest version. No workarounds are documented.

References
  1. NVD - CVE-2020-7719
  2. Security Fix for Prototype Pollution - huntr.dev by huntr-helper · Pull Request #418 · locutusjs/locutus
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
locutusnpm
< 2.0.122.0.12

Affected products

2

Patches

1
0eb16d854183

fixed prototype pollution

https://github.com/locutusjs/locutusAsjid KalamAug 25, 2020via ghsa
commit
1 file changed · +4 0
  • src/php/strings/parse_str.js+4 0 modified
    @@ -74,6 +74,10 @@ module.exports = function parse_str (str, array) { // eslint-disable-line camelc
     key = _fixStr(tmp[0])
     value = (tmp.length < 2) ? '' : _fixStr(tmp[1])
 
+    if (key.includes('__proto__') || key.includes('constructor') || key.includes('prototype')) {
+      break;
+    }
+
     while (key.charAt(0) === ' ') {
       key = key.slice(1)
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.