Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-33994

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.3%
CVSS Severity
CVSS v3 Score 9.8
Products affected by CVE-2026-33994
  • Locutus » Locutus » Version: 2.0.39
    cpe:2.3:a:locutus:locutus:2.0.39
  • Locutus » Locutus » Version: 3.0.0
    cpe:2.3:a:locutus:locutus:3.0.0
  • Locutus » Locutus » Version: 3.0.1
    cpe:2.3:a:locutus:locutus:3.0.1
  • Locutus » Locutus » Version: 3.0.10
    cpe:2.3:a:locutus:locutus:3.0.10
  • Locutus » Locutus » Version: 3.0.11
    cpe:2.3:a:locutus:locutus:3.0.11
  • Locutus » Locutus » Version: 3.0.12
    cpe:2.3:a:locutus:locutus:3.0.12
  • Locutus » Locutus » Version: 3.0.13
    cpe:2.3:a:locutus:locutus:3.0.13
  • Locutus » Locutus » Version: 3.0.14
    cpe:2.3:a:locutus:locutus:3.0.14
  • Locutus » Locutus » Version: 3.0.15
    cpe:2.3:a:locutus:locutus:3.0.15
  • Locutus » Locutus » Version: 3.0.16
    cpe:2.3:a:locutus:locutus:3.0.16
  • Locutus » Locutus » Version: 3.0.17
    cpe:2.3:a:locutus:locutus:3.0.17
  • Locutus » Locutus » Version: 3.0.18
    cpe:2.3:a:locutus:locutus:3.0.18
  • Locutus » Locutus » Version: 3.0.19
    cpe:2.3:a:locutus:locutus:3.0.19
  • Locutus » Locutus » Version: 3.0.2
    cpe:2.3:a:locutus:locutus:3.0.2
  • Locutus » Locutus » Version: 3.0.20
    cpe:2.3:a:locutus:locutus:3.0.20
  • Locutus » Locutus » Version: 3.0.21
    cpe:2.3:a:locutus:locutus:3.0.21
  • Locutus » Locutus » Version: 3.0.22
    cpe:2.3:a:locutus:locutus:3.0.22
  • Locutus » Locutus » Version: 3.0.23
    cpe:2.3:a:locutus:locutus:3.0.23
  • Locutus » Locutus » Version: 3.0.3
    cpe:2.3:a:locutus:locutus:3.0.3
  • Locutus » Locutus » Version: 3.0.4
    cpe:2.3:a:locutus:locutus:3.0.4
  • Locutus » Locutus » Version: 3.0.5
    cpe:2.3:a:locutus:locutus:3.0.5
  • Locutus » Locutus » Version: 3.0.6
    cpe:2.3:a:locutus:locutus:3.0.6
  • Locutus » Locutus » Version: 3.0.7
    cpe:2.3:a:locutus:locutus:3.0.7
  • Locutus » Locutus » Version: 3.0.8
    cpe:2.3:a:locutus:locutus:3.0.8
  • Locutus » Locutus » Version: 3.0.9
    cpe:2.3:a:locutus:locutus:3.0.9


Products
Pricing
Contact Us

Shodan ® - All rights reserved