Cyber Resilience

CVE-2026-25521

CriticalPublic PoCUpdated

Published: 04 February 2026

Published
04 February 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25521 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Locutus Locutus. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25521 is a prototype pollution vulnerability (CWE-1321) affecting the Locutus JavaScript library, which ports standard libraries from other programming languages to JavaScript for educational purposes. The issue impacts versions from 2.0.12 up to but not including 2.0.39. Despite a prior fix that checked user input for forbidden keys, attackers can still pollute Object.prototype using a crafted input via String.prototype. Published on 2026-02-04, it carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. By supplying crafted input, they can modify Object.prototype, potentially leading to high impacts on confidentiality, integrity, and availability due to the changed scope.

The vulnerability is patched in Locutus version 2.0.39. Mitigation details are available in the patching commit at https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c and the GitHub security advisory at https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user…

more

input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Prototype pollution allows local low-priv attacker to modify Object.prototype via crafted JS input, directly enabling privilege escalation (T1068) and JS-based execution/abuse (T1059.007) with high C/I/A impact and scope change.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33993Same product: Locutus Locutus
CVE-2026-33994Same product: Locutus Locutus
CVE-2026-29091Same product: Locutus Locutus
CVE-2026-32304Same product: Locutus Locutus
CVE-2026-44005Shared CWE-1321
CVE-2026-33228Shared CWE-1321, CWE-915
CVE-2026-34427Shared CWE-915
CVE-2026-42044Shared CWE-1321, CWE-915
CVE-2026-34406Shared CWE-915
CVE-2026-44290Shared CWE-1321

Affected Assets

locutus
locutus
2.0.12 — 2.0.39

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of known software flaws like this prototype pollution vulnerability by patching Locutus to version 2.0.39.

detect

Requires vulnerability scanning to identify systems using vulnerable Locutus versions affected by this CVE.

prevent

Enforces input validation to block crafted inputs exploiting the String.prototype pollution path in Locutus.

References