Prototype Pollution in Locutus JS v2.0.12<2.0.39
CVE-2026-25521 Published on February 4, 2026

Locutus is vulnerable to Prototype Pollution
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.

Github Repository NVD

Vulnerability Analysis

CVE-2026-25521 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Prototype Pollution Vulnerability?

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CVE-2026-25521 has been classified to as a Prototype Pollution vulnerability or weakness.

What is a Mass Assignment Vulnerability?

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CVE-2026-25521 has been classified to as a Mass Assignment vulnerability or weakness.


Products Associated with CVE-2026-25521

Want to know whenever a new CVE is published for Red Hat Logging? stack.watch will email you.

Red Hat Logging
 

Affected Versions

locutusjs locutus: Logging Subsystem for Red Hat OpenShift:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-25521

Package Manager Vulnerable Package Versions Fixed In
npm swiper >= 6.5.1, < 12.1.2 12.1.2

Exploit Probability

EPSS
0.24%
Percentile
14.41%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.