CVE-2026-33994

Name of the Vulnerable Software and Affected Versions locutus versions 2.0.39 through 3.0.24

Description A prototype pollution issue exists in the parse str function of the npm package locutus. An attacker can manipulate Object.prototype by overriding RegExp.prototype.test and then providing a specially crafted query string to parse str, bypassing the prototype pollution protection. This issue arises from an incomplete fix for a previous vulnerability. The initial fix replaced a guard based on String.prototype.includes() with one based on RegExp.prototype.test(), but RegExp.prototype.test is also a writable prototype method and can be overridden, allowing the guard to be bypassed. The vulnerability requires a chained scenario where an attacker needs a separate prototype pollution gadget to override RegExp.prototype.test before exploiting parse str. This could potentially lead to authentication bypass, denial of service, or remote code execution if a polluted property is passed to vulnerable functions. The vulnerable code resides in parse str.js, specifically at line 77, where RegExp.prototype.test() is used to check for forbidden keys in user-provided input.

Recommendations Upgrade to locutus version 3.0.25 or later.