Cyber Posture

CVE-2026-33993

CriticalPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33993 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Locutus Locutus. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the vulnerable Locutus library to version 3.0.25 or later, which specifically filters the __proto__ key during PHP deserialization to prevent prototype pollution.

SI-10 Information Input Validation good match
prevent

Mandates validation of untrusted PHP serialized inputs to block __proto__ keys and other dangerous payloads that trigger JavaScript prototype pollution.

RA-5 Vulnerability Monitoring and Scanning good match
detectrespond

Enables scanning for CVE-2026-33993 in deployed Locutus instances and rapid remediation of vulnerable versions prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated exploitation of public-facing app via crafted payload to unserialize() directly matches T1190; property injection enabling DoS via built-in method overrides matches T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload…

more

contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.

Deeper analysisAI

CVE-2026-33993 is a prototype pollution vulnerability in the Locutus JavaScript library, which emulates standard libraries from other programming languages for educational purposes. The issue affects the `unserialize()` function located in `locutus/php/var/unserialize` in versions prior to 3.0.25. This function deserializes PHP serialized payloads by assigning keys to plain JavaScript objects using bracket notation without filtering the `__proto__` key. When a payload includes `__proto__` as an array or object key, it triggers JavaScript's `__proto__` setter, allowing attackers to replace the object's prototype with controlled content. The vulnerability is rated at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).

Any unauthenticated remote attacker can exploit this vulnerability by providing a specially crafted PHP serialized payload to an application using the affected `unserialize()` function. Successful exploitation enables property injection onto the polluted prototype, which can propagate through for...in loops to other objects. Attackers can also achieve denial of service by overriding built-in methods. This issue is distinct from prior prototype pollution vulnerabilities in Locutus's `parse_str` function, as `unserialize()` lacked specific mitigations.

The Locutus project addressed this in version 3.0.25 via a patch that filters the `__proto__` key during deserialization. Security practitioners should upgrade to this version or later. Relevant resources include the patching commit at https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4, pull request https://github.com/locutusjs/locutus/pull/597, release notes at https://github.com/locutusjs/locutus/releases/tag/v3.0.25, and the security advisory at https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877.

Details

CWE(s)
CWE-1321

Affected Products

locutus
locutus
≤ 3.0.25

CVEs Like This One

CVE-2026-33994Same product: Locutus Locutus
CVE-2026-25521Same product: Locutus Locutus
CVE-2026-29091Same product: Locutus Locutus
CVE-2026-32304Same product: Locutus Locutus
CVE-2024-57083Shared CWE-1321
CVE-2024-57069Shared CWE-1321
CVE-2026-30226Shared CWE-1321
CVE-2025-8083Shared CWE-1321
CVE-2026-30939Shared CWE-1321
CVE-2024-57067Shared CWE-1321

References