Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XLocutus
APPLocutus2.0.12 – 2.0.39 (bez)
Related vulnerabilities
Locutus: RCE w funkcji create_function() przez brak sanityzacji danych wejściowych
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str ...
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in vers...