locutus 3.0.2

Direct Vulnerabilities

Known vulnerabilities in the locutus package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the `unserialize` function. An attacker can inject arbitrary properties into the prototype of deserialized objects, potentially bypassing authorization checks or causing denial of service by overriding built-in methods, by supplying specially crafted serialized payloads containing the `__proto__` key. How to fix Prototype Pollution? Upgrade `locutus` to version 3.0.25 or higher.	<3.0.25
H Prototype Pollution locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the `parse_str` function. An attacker can modify the prototype of built-in objects by overriding `RegExp.prototype.test` and supplying a crafted query string, which bypasses the intended guard and allows assignment to dangerous key paths. This can result in unauthorized property injection into global objects, potentially leading to authentication bypass, denial of service, or remote code execution if polluted properties are used in sensitive operations. Note: This is only exploitable if another vulnerability or gadget in the application allows the attacker to override `RegExp.prototype.test` prior to invoking the affected process. This vulnerability stems from an incomplete fix for CVE-2026-25521. How to fix Prototype Pollution? Upgrade `locutus` to version 3.0.25 or higher.	>=2.0.39 <3.0.25
C Arbitrary Code Injection locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Arbitrary Code Injection via the `create_function(args, code)` function. An attacker can execute arbitrary code by supplying unsanitized input to the arguments, which are passed directly to the `Function` constructor. How to fix Arbitrary Code Injection? Upgrade `locutus` to version 3.0.14 or higher.	<3.0.14

Vulnerability

Vulnerable Version

Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution in the unserialize function. An attacker can inject arbitrary properties into the prototype of deserialized objects, potentially bypassing authorization checks or causing denial of service by overriding built-in methods, by supplying specially crafted serialized payloads containing the __proto__ key.

How to fix Prototype Pollution?

Upgrade locutus to version 3.0.25 or higher.

<3.0.25

Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution in the parse_str function. An attacker can modify the prototype of built-in objects by overriding RegExp.prototype.test and supplying a crafted query string, which bypasses the intended guard and allows assignment to dangerous key paths. This can result in unauthorized property injection into global objects, potentially leading to authentication bypass, denial of service, or remote code execution if polluted properties are used in sensitive operations.

Note:

This is only exploitable if another vulnerability or gadget in the application allows the attacker to override RegExp.prototype.test prior to invoking the affected process.
This vulnerability stems from an incomplete fix for CVE-2026-25521.

How to fix Prototype Pollution?

Upgrade locutus to version 3.0.25 or higher.

>=2.0.39 <3.0.25

Arbitrary Code Injection

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Arbitrary Code Injection via the create_function(args, code) function. An attacker can execute arbitrary code by supplying unsanitized input to the arguments, which are passed directly to the Function constructor.

How to fix Arbitrary Code Injection?

Upgrade locutus to version 3.0.14 or higher.

<3.0.14

locutus@3.0.2

Locutus other languages' standard libraries to JavaScript for fun and educational purposes

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically