CVE-2026-25521

Name of the Vulnerable Software and Affected Versions Locutus versions 2.0.12 through 2.0.38

Description Locutus, designed to bring standard libraries from other programming languages to JavaScript for educational purposes, contains a prototype pollution issue. A previous attempt to address prototype pollution by checking for forbidden keys in user input was insufficient. It remains possible to pollute Object.prototype through a crafted input utilizing String.prototype. This allows for malicious property injection, potentially leading to further compromise.

Recommendations Upgrade to version 2.0.39.