CVE-2026-25521 – Locutus versions 2.0.12 through 2.0.38 contain ... (How to Fix)

Q: What is the severity of CVE-2026-25521?

CVE-2026-25521 has a CVSS score of 8.8 (HIGH). Locutus versions 2.0.12 through 2.0.38 contain a prototype pollution vulnerability that allows attackers to modify JavaScript object prototypes via crafted input. This affects applications using Locutus for educational JavaScript functionality. Attackers could potentially inject malicious properties into objects used throughout the application.

📋 TL;DR

Locutus versions 2.0.12 through 2.0.38 contain a prototype pollution vulnerability that allows attackers to modify JavaScript object prototypes via crafted input. This affects applications using Locutus for educational JavaScript functionality. Attackers could potentially inject malicious properties into objects used throughout the application.

💻 Affected Systems

Products:

locutus

Versions: 2.0.12 through 2.0.38

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable versions of the locutus library.

📦 What is this software?

Locutus by Locutus

View all CVEs affecting Locutus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution, denial of service, or privilege escalation by polluting global object prototypes and altering application behavior.

🟠

Likely Case

Application instability, unexpected behavior, or denial of service through prototype pollution affecting object inheritance chains.

🟢

If Mitigated

Limited impact if input validation and sanitization are implemented, though prototype pollution could still cause unexpected behavior.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific input to bypass previous prototype pollution mitigations using String.prototype.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.39

Vendor Advisory: https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh

Restart Required: No

Instructions:

1. Update locutus dependency to version 2.0.39 or later. 2. Run npm update locutus or yarn upgrade locutus. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject any input containing prototype pollution patterns or suspicious property names.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-provided data processed by locutus functions.
Monitor application logs for unexpected behavior or errors related to object property access.

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/locutus/package.json for version number between 2.0.12 and 2.0.38 inclusive.

Check Version:

npm list locutus | grep locutus or check package.json directly

Verify Fix Applied:

Verify locutus version is 2.0.39 or higher in package.json and test application with known malicious inputs.

📡 Detection & Monitoring

Log Indicators:

Unexpected property access errors
Type errors related to object prototypes
Application crashes or instability

Network Indicators:

Unusual input patterns in HTTP requests containing prototype pollution payloads

SIEM Query:

Search for error logs containing 'prototype', 'TypeError', or 'Cannot set property' in application logs.

📊 Metadata

CVE ID: CVE-2026-25521

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-1321

EPSS Score: 0.02% exploit probability (4.7th percentile)

Published: February 4, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c Patch
https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25521, you might also want to check these: