2436950 – (CVE-2026-25521) CVE-2026-25521 locutus: Locutus is vulnerable to Prototype Pollution

Bug 2436950 (CVE-2026-25521) - CVE-2026-25521 locutus: Locutus is vulnerable to Prototype Pollution

Summary: CVE-2026-25521 locutus: Locutus is vulnerable to Prototype Pollution

Keywords:
Status:	NEW
Alias:	CVE-2026-25521
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2436971 2436972 2436973 2436974
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-04 22:01 UTC by OSIDB Bzimport
Modified:	2026-02-04 23:17 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-04 22:01:58 UTC

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.

Note You need to log in before you can comment on or make changes to this bug.