A Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.
A Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.
The package locutus are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
The locutus package is vulnerable to Prototype Pollution via the php.strings.parse_str function.
php/exec/escapeshellarg in Locutus PHP allows an attacker to execute code.