locutus 2.0.29 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the locutus package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the `unserialize` function. An attacker can inject arbitrary properties into the prototype of deserialized objects, potentially bypassing authorization checks or causing denial of service by overriding built-in methods, by supplying specially crafted serialized payloads containing the `__proto__` key. How to fix Prototype Pollution? Upgrade `locutus` to version 3.0.25 or higher.	<3.0.25
C Arbitrary Code Injection locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Arbitrary Code Injection via the `create_function(args, code)` function. An attacker can execute arbitrary code by supplying unsanitized input to the arguments, which are passed directly to the `Function` constructor. How to fix Arbitrary Code Injection? Upgrade `locutus` to version 3.0.14 or higher.	<3.0.14
C Eval Injection locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Eval Injection in the `call_user_func_array()` function, which executes `eval()` on user-supplied input, and does not sanitize the second argument in the input array (the method name). An attacker can execute arbitrary JavaScript code with the privileges of the Node.js runtime if the target application is being used as a gateway or router using Locutus functions. How to fix Eval Injection? Upgrade `locutus` to version 3.0.0 or higher.	<3.0.0
H Prototype Pollution locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution via the `locutus.php.strings.parse_str` function. An attacker can modify the prototype of global objects by supplying crafted input, leading to authentication bypass, denial of service, or execution of arbitrary code if polluted properties are passed to sensitive sinks. How to fix Prototype Pollution? Upgrade `locutus` to version 2.0.39 or higher.	>=2.0.12 <2.0.39

Vulnerability

Vulnerable Version

Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution in the unserialize function. An attacker can inject arbitrary properties into the prototype of deserialized objects, potentially bypassing authorization checks or causing denial of service by overriding built-in methods, by supplying specially crafted serialized payloads containing the __proto__ key.

How to fix Prototype Pollution?

Upgrade locutus to version 3.0.25 or higher.

<3.0.25

Arbitrary Code Injection

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Arbitrary Code Injection via the create_function(args, code) function. An attacker can execute arbitrary code by supplying unsanitized input to the arguments, which are passed directly to the Function constructor.

How to fix Arbitrary Code Injection?

Upgrade locutus to version 3.0.14 or higher.

<3.0.14

Eval Injection

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Eval Injection in the call_user_func_array() function, which executes eval() on user-supplied input, and does not sanitize the second argument in the input array (the method name). An attacker can execute arbitrary JavaScript code with the privileges of the Node.js runtime if the target application is being used as a gateway or router using Locutus functions.

How to fix Eval Injection?

Upgrade locutus to version 3.0.0 or higher.

<3.0.0

Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution via the locutus.php.strings.parse_str function. An attacker can modify the prototype of global objects by supplying crafted input, leading to authentication bypass, denial of service, or execution of arbitrary code if polluted properties are passed to sensitive sinks.

How to fix Prototype Pollution?

Upgrade locutus to version 2.0.39 or higher.

>=2.0.12 <2.0.39

locutus@2.0.29 vulnerabilities

Locutus other languages' standard libraries to JavaScript for fun and educational purposes

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically