CVE-2026-33993
Received Received - Intake
Prototype Pollution in Locutus PHP Unserialize Enables DoS and Injection

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) β€” `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33993
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
locutus locutus to 3.0.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Locutus library, specifically in the unserialize() function of locutus/php/var/unserialize prior to version 3.0.25. When deserializing PHP serialized data, the function assigns keys to plain JavaScript objects without filtering out the __proto__ key. If an attacker includes __proto__ as a key in the serialized payload, it triggers JavaScript's __proto__ setter, which replaces the object's prototype with attacker-controlled content. This leads to prototype pollution, enabling property injection, propagation of injected properties during for...in loops, and potential denial of service by overriding built-in methods.

Impact Analysis

The vulnerability can impact you by allowing an attacker to inject properties into objects via prototype pollution. This can cause unexpected behavior in the application, including the propagation of malicious properties through object iterations and denial of service by overriding critical built-in methods. Such impacts can compromise application stability and security.

Mitigation Strategies

To mitigate this vulnerability, upgrade Locutus to version 3.0.25 or later, where the issue with the unserialize() function assigning deserialized keys without filtering the __proto__ key has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33993. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart