CVE-2026-33994
Received Received - Intake
Prototype Pollution in Locutus `parse_str` Allows Object Hijacking

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original β€” trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
locutus locutus From 2.0.39 (inc) to 3.0.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the npm package locutus, specifically in the parse_str function between versions 2.0.39 and before 3.0.25. It is a prototype pollution vulnerability that allows an attacker to modify Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parse_str. The issue arises because the guard meant to prevent prototype pollution uses RegExp.prototype.test, which itself can be overridden, allowing the attacker to bypass the protection.

This vulnerability is a result of an incomplete fix for a previous vulnerability (CVE-2026-25521), where the original guard using String.prototype.includes() was replaced with RegExp.prototype.test(), but since RegExp.prototype.test is writable, the new guard can also be bypassed. The vulnerability was fixed in version 3.0.25 with an updated fix.

Impact Analysis

An attacker exploiting this vulnerability can perform prototype pollution, which means they can modify the base Object prototype in JavaScript. This can lead to unexpected behavior in applications using the vulnerable parse_str function, potentially causing security issues such as denial of service, data manipulation, or execution of arbitrary code depending on how the polluted prototype is used.

Mitigation Strategies

To mitigate this vulnerability, upgrade the npm package locutus to version 3.0.25 or later, as this version contains an updated fix for the prototype pollution issue in the parse_str function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart