CVE-2026-25521
Published: 04 February 2026
Summary
CVE-2026-25521 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Locutus Locutus. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of known software flaws like this prototype pollution vulnerability by patching Locutus to version 2.0.39.
Requires vulnerability scanning to identify systems using vulnerable Locutus versions affected by this CVE.
Enforces input validation to block crafted inputs exploiting the String.prototype pollution path in Locutus.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution allows local low-priv attacker to modify Object.prototype via crafted JS input, directly enabling privilege escalation (T1068) and JS-based execution/abuse (T1059.007) with high C/I/A impact and scope change.
NVD Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user…
more
input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
Deeper analysisAI
CVE-2026-25521 is a prototype pollution vulnerability (CWE-1321) affecting the Locutus JavaScript library, which ports standard libraries from other programming languages to JavaScript for educational purposes. The issue impacts versions from 2.0.12 up to but not including 2.0.39. Despite a prior fix that checked user input for forbidden keys, attackers can still pollute Object.prototype using a crafted input via String.prototype. Published on 2026-02-04, it carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. By supplying crafted input, they can modify Object.prototype, potentially leading to high impacts on confidentiality, integrity, and availability due to the changed scope.
The vulnerability is patched in Locutus version 2.0.39. Mitigation details are available in the patching commit at https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c and the GitHub security advisory at https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh.
Details
- CWE(s)