216.73.217.64

CVE-2026-33993

· Published 27/03/2026 23:17 · Modified 27/03/2026 23:17

Labels: CVE-2026-33993 2026-03-27CVE-2026-33993CWE-1321[email protected]

Essential information

Published
27/03/2026 23:17
Modified
27/03/2026 23:17
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
locutus / locutus cpe:2.3:a:locutus:locutus:<3.0.25:*:*:*:*:*:*:*

References