npm package
locutus
pkg:npm/locutus
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33994 | Cri | 9.8 | >= 2.0.39, < 3.0.25 | 3.0.25 | Mar 27, 2026 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object | |
| CVE-2026-33993 | Cri | 9.8 | < 3.0.25 | 3.0.25 | Mar 27, 2026 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` k | |
| CVE-2026-32304 | — | < 3.0.14 | 3.0.14 | Mar 12, 2026 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is | ||
| CVE-2026-29091 | — | < 3.0.0 | 3.0.0 | Mar 6, 2026 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability | ||
| CVE-2026-25521 | — | >= 2.0.12, < 2.0.39 | 2.0.39 | Feb 4, 2026 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether | ||
| CVE-2021-23392 | — | < 2.0.15 | 2.0.15 | Jun 8, 2021 | The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function. | ||
| CVE-2020-7719 | — | < 2.0.12 | 2.0.12 | Sep 1, 2020 | Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. | ||
| CVE-2020-13619 | — | <= 2.0.11 | — | Jul 1, 2020 | php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. |
- affected >= 2.0.39, < 3.0.25fixed 3.0.25
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object
- affected < 3.0.25fixed 3.0.25
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` k
- CVE-2026-32304Mar 12, 2026affected < 3.0.14fixed 3.0.14
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is
- CVE-2026-29091Mar 6, 2026affected < 3.0.0fixed 3.0.0
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability
- CVE-2026-25521Feb 4, 2026affected >= 2.0.12, < 2.0.39fixed 2.0.39
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether
- CVE-2021-23392Jun 8, 2021affected < 2.0.15fixed 2.0.15
The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
- CVE-2020-7719Sep 1, 2020affected < 2.0.12fixed 2.0.12
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
- CVE-2020-13619Jul 1, 2020affected <= 2.0.11
php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution.