{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33993", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.212Z", "datePublished": "2026-03-27T22:14:03.495Z", "dateUpdated": "2026-03-30T15:45:18.660Z"}, "containers": {"cna": {"title": "Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877"}, {"name": "https://github.com/locutusjs/locutus/pull/597", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/pull/597"}, {"name": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4"}, {"name": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25", "tags": ["x_refsource_MISC"], "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25"}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"version": "< 3.0.25", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:14:03.495Z"}, "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue."}], "source": {"advisory": "GHSA-4mph-v827-f877", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:45:05.433846Z", "id": "CVE-2026-33993", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:45:18.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33993", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:45:05.433846Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:45:13.571Z"}}], "cna": {"title": "Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()", "source": {"advisory": "GHSA-4mph-v827-f877", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "locutusjs", "product": "locutus", "versions": [{"status": "affected", "version": "< 3.0.25"}]}], "references": [{"url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877", "name": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/locutusjs/locutus/pull/597", "name": "https://github.com/locutusjs/locutus/pull/597", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4", "name": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25", "name": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:14:03.495Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33993", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:45:18.660Z", "dateReserved": "2026-03-24T22:20:06.212Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T22:14:03.495Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue."}], "id": "CVE-2026-33993", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T23:17:14.237", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4"}, {"source": "security-advisories@github.com", "url": "https://github.com/locutusjs/locutus/pull/597"}, {"source": "security-advisories@github.com", "url": "https://github.com/locutusjs/locutus/releases/tag/v3.0.25"}, {"source": "security-advisories@github.com", "url": "https://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Locutus: Locutus: Prototype Pollution and Denial of Service vulnerability in unserialize() function", "id": "2452536", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452536"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-915", "details": ["Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) \u2014 `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.", "A flaw was found in Locutus, a library that integrates standard libraries from other programming languages into JavaScript. The `unserialize()` function, which converts serialized PHP data into JavaScript objects, fails to filter the `__proto__` key during deserialization. A remote attacker can exploit this by providing a specially crafted PHP serialized payload that includes `__proto__` as an array or object key. This vulnerability, known as prototype pollution, allows for property injection and can lead to a Denial of Service (DoS) by enabling attackers to override built-in JavaScript methods."], "name": "CVE-2026-33993", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Out of support scope", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2026-03-27T22:14:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33993\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33993\nhttps://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4\nhttps://github.com/locutusjs/locutus/pull/597\nhttps://github.com/locutusjs/locutus/releases/tag/v3.0.25\nhttps://github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.25)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "locutus", "source": "cna", "vendor": "locutusjs"}, "product": "locutus", "vendor": "locutus"}], "analysis": {"en": {"generated_at": "2026-03-28T05:50:56.589271+00:00", "value": {"mitigation_remediation": ["Update locutus to version 3.0.25 or newer, which removes the prototype injection flaw.", "If an update is not possible, validate or sanitize any serialized PHP payloads to strip or encode __proto__ keys before passing them to unserialize()", "Avoid using unserialize() with untrusted data whenever feasible"], "summary": {"action": "Apply Patch", "impact": "Prototype Pollution enabling property injection, potential denial of service"}, "threat_synthesis": {"affected_systems": "The problem exists in the Locutus library for JavaScript under the product locutusjs:locutus. All releases before version 3.0.25 generate objects via bracket notation without filtering the __proto__ key, so versions less than 3.0.25 are affected. Version 3.0.25 onward includes the fix.", "description_and_impact": "Attacker-controlled keys named __proto__ can replace the prototype of deserialized objects, allowing injection of arbitrary properties and overriding built-in methods. This vulnerability can lead to injection of malicious code or denial of service, specifically through property propagation during for\u2026in loops or by tampering with standard object behavior.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.9, indicating a moderate to high severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The likely attack vector is the application of a PHP serialized string containing a __proto__ key to the unserialize() function, which then mutates the JavaScript prototype chain. This can be leveraged if the library processes untrusted input in a client- or server-side context."}}}}, "created": "2026-03-29T20:29:26.943177+00:00", "updated": "2026-03-30T07:59:13.672211+00:00", "vendors": ["locutus", "locutus$PRODUCT$locutus"]}