CVE-2026-33993: Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
(updated )
The unserialize() function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the __proto__ key. When a PHP serialized payload contains __proto__ as an array or object key, JavaScript’s __proto__ setter is invoked, replacing the deserialized object’s prototype with attacker-controlled content. This enables property injection, for…in propagation of injected properties, and denial of service via built-in method override.
This is distinct from the previously reported prototype pollution in parse_str (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — unserialize is a different function with no mitigation applied.
References
- github.com/advisories/GHSA-4mph-v827-f877
- github.com/locutusjs/locutus
- github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4
- github.com/locutusjs/locutus/pull/597
- github.com/locutusjs/locutus/releases/tag/v3.0.25
- github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877
- nvd.nist.gov/vuln/detail/CVE-2026-33993
Code Behaviors & Features
Detect and mitigate CVE-2026-33993 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →