Critical severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026
Locutus is vulnerable to Prototype Pollution
CVE-2026-25521
Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
locutusnpm | >= 2.0.12, < 2.0.39 | 2.0.39 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-rxrv-835q-v5mhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25521ghsaADVISORY
- github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01cghsax_refsource_MISCWEB
- github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.