CVE-2026-33993
Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize() function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the __proto__ key. When a PHP serialized payload contains __proto__ as an array or object key, JavaScript's __proto__ setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in parse_str (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — unserialize is a different function with no mitigation applied. Version 3.0.25 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
locutusnpm | < 3.0.25 | 3.0.25 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4nvdPatchWEB
- github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-4mph-v827-f877ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33993ghsaADVISORY
- github.com/locutusjs/locutus/pull/597nvdIssue TrackingWEB
- github.com/locutusjs/locutus/releases/tag/v3.0.25nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.